scanning with iss n.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
Scanning with ISS PowerPoint Presentation
Download Presentation
Scanning with ISS

Loading in 2 Seconds...

play fullscreen
1 / 33

Scanning with ISS - PowerPoint PPT Presentation


  • 105 Views
  • Uploaded on

Scanning with ISS. Security-SIG 15 December 2005 David Taylor & John Lupton ISC Information Security. ISC/Information Security. ISS - Internet Security Scanner. Commercial product of Internet Security Systems

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Scanning with ISS' - tait


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
scanning with iss

Scanning with ISS

Security-SIG

15 December 2005

David Taylor & John Lupton

ISC Information Security

ISC/Information Security

iss internet security scanner
ISS - Internet Security Scanner
  • Commercial product of Internet Security Systems
  • Provides Windows-based scanning for vulnerabilities on hosts running all major PC operating systems
    • Windows
    • Mac OS X
    • Unix/Linux

ISC/Information Security

security@isc.upenn.edu

which windows
Which Windows?
  • Dave Taylor sez…
    • Windows 2000 or above, BUT…
    • Win 2003 and XP/SP2 have been problematic
    • Win 2000 or XP/SP1 seem to work best

ISC/Information Security

security@isc.upenn.edu

who s allowed to scan
Who’s Allowed to Scan?
  • Anyone is permitted to scan their own system
  • Penn Sysadmins and LSP’s are permitted to scan IP addresses/ranges for which they have responsibility

ISC/Information Security

security@isc.upenn.edu

scanning etiquette
Scanning Etiquette
  • The “Golden Rule”…you don’t appreciate someone else scanning your addresses without your knowledge or permission, right?
  • “Let My People Know”…unless there’s a good reason to keep it secret, tell your users when you will be scanning, and from which IP address

ISC/Information Security

security@isc.upenn.edu

firewalls
Firewalls
  • If you are scanning from inside a firewall, you will need to disable it to prevent problems with scan accuracy
  • If your target(s) is/are behind a firewall, you will need to:
    • Disable the firewall during the scan, OR
    • Locate the scanning system inside the firewall

ISC/Information Security

security@isc.upenn.edu

downloading installing iss
Downloading & Installing ISS
  • Go to www.iss.net/download
  • Set up an account (necessary, but free)
  • Sign in to the Download Center
  • Search for Internet Scanner 7.0 SP2
    • Allows installation of SQL desktop engine as part of single installation
    • Dave sez: older versions require separate installations, and are “a pain in the bootie”.
  • Click on colored “FULL INSTALLS” tab
  • Download file (there’s only one) and install as per instructions

ISC/Information Security

security@isc.upenn.edu

ok what next
OK, what next?…
  • The software “as is” will allow scanning of the localhost (127.0.0.1)
  • To scan other hosts, you need to obtain and install a “key”
  • Send email to security@isc - we will “cut” you a key and transmit it to you, along with instructions how to import it into ISS

ISC/Information Security

security@isc.upenn.edu

slide9
ISC/Information Security

security@isc.upenn.edu

installing updates
Installing Updates
  • After installing the ISS application, update the scanning modules by running “X-Press Update Install”
    • Located in ‘Start’ menu
    • Go to Starbucks…it will take a while
  • Once the updated modules have been installed, you’re ready to roll

ISC/Information Security

security@isc.upenn.edu

slide11
ISC/Information Security

security@isc.upenn.edu

scanning credentials
Scanning Credentials
  • From a stand-alone, non-domain system:
    • Results similar to what outside hacker could see
  • From a standard domain user account:
    • Results similar to what other domain users could see
  • From a Domain Administrator account:
    • Results will show much more detail, e.g. patch level

ISC/Information Security

security@isc.upenn.edu

set up a session
Set Up a Session
  • From ‘Start’ Menu…
    • Create a new session
    • Choose a template, OR start with a blank session and construct your own new policy
    • Give it a name, and click ‘OK’
    • Edit the policy and select your scan target(s)
  • Be Aware!…Plugins for Destructive Denial of Service vulnerabilities may cause a remote system to become unresponsive - or crash altogether

ISC/Information Security

security@isc.upenn.edu

slide14
ISC/Information Security

security@isc.upenn.edu

slide15
ISC/Information Security

security@isc.upenn.edu

slide16
ISC/Information Security

security@isc.upenn.edu

slide17
ISC/Information Security

security@isc.upenn.edu

slide18
ISC/Information Security

security@isc.upenn.edu

slide19
ISC/Information Security

security@isc.upenn.edu

slide20
ISC/Information Security

security@isc.upenn.edu

set up a session cont
Set Up a Session (cont.)
  • Save the policy and close the Policy Editor
  • Select the policy, then name the session
  • Enter a host range, or load from a list
    • Remember the “Golden Rule” - don’t scan anyone’s space but your own

ISC/Information Security

security@isc.upenn.edu

slide22
ISC/Information Security

security@isc.upenn.edu

slide23
ISC/Information Security

security@isc.upenn.edu

slide24
ISC/Information Security

security@isc.upenn.edu

to ping or not to ping
To Ping, or not to Ping?
  • You have an option to “ping” the hosts in your target range before the scan is performed
  • Many hosts are configured to block all ICMP activity, but can still be scanned
  • Generally better to NOT use the “ping” option
    • Scans take longer, but are usually more accurate
    • If hosts you know are present return “unreachable”:
      • Use ‘Tools->Session Properties’ and choose ‘Scan Always’
      • Forces ISS to run all modules in the policy

ISC/Information Security

security@isc.upenn.edu

running the scan
Running the Scan
  • Let ‘er rip…
  • Go to Starbucks again

ISC/Information Security

security@isc.upenn.edu

slide27
ISC/Information Security

security@isc.upenn.edu

result reports
Result Reports
  • Results can be presented in several escalating levels, e.g.:
    • Executive summary
    • Technically detailed, with step-by-step mitigation procedures
  • Need help? Write to us at security@isc

ISC/Information Security

security@isc.upenn.edu

slide29
ISC/Information Security

security@isc.upenn.edu

slide30
ISC/Information Security

security@isc.upenn.edu

slide31
ISC/Information Security

security@isc.upenn.edu

slide32
ISC/Information Security

security@isc.upenn.edu

useful links
Useful Links
  • Download: www.iss.net/download
  • Support: www.iss.net/support
  • Plug-in Info: xforce.iss.net/
  • SANS Internet Storm Center: isc.sans.org
  • SANS@Risk: www.sans.org/newsletters/risk
  • French Security Incident Response Team (known for releasing Zero-Day Advisories): www.frsirt.com/english/
  • Metasploit: www.metasploit.com

ISC/Information Security

security@isc.upenn.edu