Introduction

This class is an introductory level class in network scanning using Internet Security System’s (ISS) Internet Scanner. The class addresses the following topics:

Network Scanning
Why perform network scans?
Potential network performance and client impact

Internet Scanner Overview and System Requirements

ISS Keys
Obtaining, using, and renewing
Using PGP

Internet Scanner Installation

Express Updates

Scanning the Network
     Pre-configured scan policies
     Scanning with "pings" versus command line IP addresses
     Custom configured scan policies

Network Scanning

Network scanning looks at the network as a hacker might. Effectively, Internet Scanner is a hacking tool. Because of this, caution must be exercised when using this tool.

Why perform network scans?

Network scans should be performed regularly to evaluate the current state of network security. The scan can also provide information on immediate security threats due to trojans and back doors installed on host systems. Please note definitions in the Glossary of Terms.

Potential network performance and client impact

Anything that substantially increases scan times could have an impact on network performance. Tests for Denial of Service (DoS) attacks could have a significant impact on both the scanned host and network performance and are not recommended. Brute force password attacks could have affects like a denial of service attack (based on account lockout rules on the system) and are not recommended for bulk scans.

Internet Scanner Overview and System Requirements

Internet Scanner was written to test systems from an external hacker perspective.The program runs by default by pinging for potential hosts to scan. After hosts are identified, the program evaluates each host for vulnerabilities or potential vulnerabilities. After the scan finishes, Internet Scanner can generate a report formatted to your needs indicating the hosts and vulnerabilities.

ISS recommends the scans be conducted using a dedicated Windows system. They recommend a Windows system because Windows exploits cannot be detected and evaluated efficiently from a Unix system.

ISS recommends the following configuration for a scanning system:

400MHz Pentium II
128MB of memory
NT 4.0 with service pack 6 or Windows 2000 running on an NTFS partition
180MB hard drive space for installation
60MB hard drive space plus 2.5MB per 100 hosts to scan
256 colors

Information Security uses the following configuration minimum:

500MHz Pentium II
256MB of memory
at least 2GB of hard drive space

Please note that personal firewalls running on the scanning system will probably need to be disabled during the scan.

ISS Keys

Keys required for Internet Scanner to run can be obtained from Information Security.

Obtaining, using, and renewing keys

Information Security requires the following information to provide the first ISS key:

A PGP (or compatible) key provided with a photo ID
The exact IP range you are responsible for

Keys are valid for 90 days. Replacement keys are available on e-mail request and are supplied by e-mail encrypted with PGP.

Sample key:

Order confirmation number 9555001 for model TL-NSB-90
Attached below is your ISS software License. Save this entire message (do not copy and paste) using "iss.key" as the filename. Be sure to type the filename in double quotes, especially if using a Windows system, in order to avoid having your system apply some other extension to the file name.
Place this file in the appropriate installation directory for the respective product.

It is not necessary to decode this license or modify it in any way, even though email headers and footers may be present.

Please email support@iss.net if you encounter any problems using this license.

To upgrade your software to the most current version, go to:

http://www.iss.net/release

And enter the following username and password information:

(Reminder: Once the Maintenance on your License has expired, you will not be able to use the License with subsequent versions of the product.)

-----BEGIN ISSKEY5----

s1UrBfFSW9IQhkxtwb9ySTtEGcBeUZj5BYlwEzSqIvCHvoKpH2dRXkeSrPu5LDWT
JW+6Mc2DOHzJfFLt213ruu2RJJcI92mpY7Teh9d6OzwA9JY6n33rkhWO76ZzaBMk

You may notice that the website, ID, and password are provided within the key to download the current software for installation.

Using PGP

The freeware version of PGP is available from MIT at http://web.mit.edu/network/pgp.html. PGP has a plug-in for easy use with Eudora, Outlook, and Outlook Express.

Running “PGP Keys” displays the screen below.

Select your key and the “Keys” pull-down menu. From that menu, select “Export” and you will receive the screen noted below.

Please ensure that “Include Private Key(s)” is NOT checked and the resulting file is your public key.

Internet Scanner Installation

When you enter the URL provided in the key, your browser should display an authentication box like the one noted below.

Enter the ID and password provided and you should receive the screen below.

You should select Internet Scanner to download and select “Continue”.

You will receive a screen noting the export restrictions on this software. Please enter the requested information and click on “Submit”.

You should receive the screen noted below. Please download all of the files into a single directory. If you split the downloaded files into multiple directories, the installation will fail.

The installation is fairly standard for Internet Scanner. The default directory is C:\Program Files\ISS\Scanner6. After the installation completes, you will need to restart the system.

Express Updates

Since new exploits are recognized and created regularly, Internet Scanner must be updated regularly. Express Update (installed with Internet Scanner) checks for current updates and applies the updates appropriately when located. Please note that Internet Scanner should not be running when Express Update is executed.

The Express Update initially looks like the screen below. The program is easy to use and intuitive.

Scanning the Network

To scan the network or specific hosts, start by running Internet Scanner. The program will note at execution time the number of current exploits used (816 at publication time).

After the program finishes loading, the menu noted below appears.

Normally, you will want to run a new session, open a session from the database, or generate a report from a previously completed scan. For this class, we are addressing new sessions. You may receive multiple keys depending on the IP addresses provided. The following screen allows you to select the key you wish to use.

Pre-configured scan policies

Internet Scanner installs with several established scan policies (noted below).

An “L” and a number indicates the “level” or intensity of scan profile. The higher the number, the more intensive and time consuming the scan performed.

To better understand the scan policies, please review the individual scan policies and create your own.

Scanning with "pings" versus command line IP addresses

Scanning without pings to locate valid hosts is necessary to scan hosts “running in stealth mode” (note the screen with options below).

However, these scans can create problems with specific network equipment. You should use command line without pings only when specifying known and appropriate IP addresses (note the screen below). IP ranges should not be scanned using this option.

Custom configured scan policies

To create a custom policy, you will need to follow these steps:

Click on “Add Policy”. You will receive a screen noting the steps required to create a policy. Click on “Next >”.
You will receive a list of existing policies to use as a starting point to create your own policy. Select an appropriate policy and click on “Next >”.
You will be prompted for a name for your new scan policy. After naming your new policy, click on “Next >”.
You will see a screen similar to the one noted below. Examine the configuration options and select the scan that you need. Information Security is available for additional information and guidance.
After selecting the appropriate scan options, you need to save your scan policy and close the policy editor. Your new policy will appear in the Policy Select screen noted earlier.

Glossary of Terms

Back Door: An entry point installed on a system without the system administrator’s knowledge

Denial of Service attack (DoS): An attack that uses high-bandwidth system(s) to overwhelm a system and prevent normal system use

Exploit: A program or script specifically written to compromise a system using a known security hole

Host: A computer being scanned for vulnerabilities

Key: A file that enables a certain computer function to work (i.e. decrypting or encrypting a file, Internet Scanner to run against a specific set of IP addresses)

Ping: Sending a single packet to a system or IP and looking for a response

Trojan: A program represented to do one thing while actually doing something else. Typically, a trojan will be presented as a movie or a sound file that actually installs a back door in the system.

Virus: Traditionally, a program that infects other programs or operating systems and moves between systems with file transfers. More recently, this term and worm are merging due to Microsoft’s problems with macro viruses, Active X, and Visual Basic Scripting.

Worm: A program that exploits security holes within a system and between systems replicate across a network