You are on page 1of 19

Cisco Secure Scanner Prepared By: Mohammad Aktaruzzaman Aniruddha Bharadwaj Swagata Pramanik

Supervised By: Dr.Aggarwa !"#$%&

Brief Details of Software: 'ame o( the so(tware: Cisco Secure Scanner )ersion: &." Produced By: Cisco Systems Purpose: *he Scanner he ps network administrators and security consu tants to ensure preparedness +y detecting and reporting on vu nera+i ities on network hosts. Down oad (rom: http:,,www.cisco.com,warp,pu+ ic,cc,pd,s-sw,nesn, Comments: .va uation copy /0or 1 2ost3 1 Introduction Cisco Systems4 5nc.###the wor dwide eader in networking (or the 5nternet###o((ers comprehensive4 end#to#end security so utions (or the enterprise. *he Cisco Secure ine o( security so utions inc udes the Cisco Secure Scanner4 the vu nera+i ity scanner and network mapping system. *he Scanner ena+ es an enterprise to diagnose and repair security pro+ ems in networking environments. *he Scanner he ps network administrators and security consu tants to ensure preparedness +y detecting and reporting on vu nera+i ities on network hosts. 2 What does the software do? *he Scanner scans the network to uncover vu nera+i ities that threaten the security o( the network. 5t he ps to (ind out the a3 )u nera+i ity o( the network +3 )u nera+i ity detai s c3 6eport a) Vulnerability of the network *he Scanner discovers security weak points on our network +e(ore intruders can e7p oit them. *he Scanner a ows us to automatica y compi e an inventory o( networking devices and servers on our network. b) Vulnerability details By using the vu nera+i ity inventory data+ase4 the Scanner identi(ies vu nera+i ities associated with network services. 5t then compi es a ist o( the discovered vu nera+i ities and disp ays them in a grid. c) Re ort A(ter that it makes a 2*M8 document (i e. 5t is a we #documented report. 5t gives a descriptive so ution (or the vu nera+i ity4 which is/are3 detected. *he so ution comes (rom 'etwork Security Data+ase /'SDB3 ! Which "etworks to Scan 9e can use the Scanner to scan a 5P#+ased networks. *he Scanner can scan networks connected to the 5nternet as we as standa one networks. # When to $se the Scanner

:sing the Scanner in conjunction with (irewa s4 5ntrusion Detection Systems /5DSes34 and other security measures ensures security in depth. #%1 $se the Scanner on a Recurrin& Basis *he Scanner shou d +e used on a recurring +asis. *he schedu ing (unction a ows us to set up sessions on a regu ar or random +asis. As sessions are run4 we can review the session data and compi e grids4 charts4 and reports4 and thus a ways +e know edgea+ e a+out the security o( our network. #%2 Reco''endations for $sin& the Scanner 0o ow these recommendations to make the +est use o( the Scanner:

Dedicated security sta(( personne 2ave a mem+er o( our security sta(( dedicated to using the Scanner to patro the network and to (i7ing any ho es that are uncovered.

9hen to run 6un the Scanner at times when network tra((ic is at a minimum.

'oti(y users o( scanned devices in advance o( a session :sers need to know which sessions are authorized so they can take action and make improvements to the network;s security +ased on the session resu ts.

)ary session times 6un sessions at various times o( the day and week to improve the chances o( accessing systems that may +e unavai a+ e at certain times.

6un unschedu ed sessions on secure systems A(ter we have secured our network4 run unschedu ed sessions to maintain the security o( the network. 6un unschedu ed sessions against systems that have a ready passed a schedu ed scan to make sure no new vu nera+i ities have +een introduced.

'ew machines and devices added to the network Scan new machines immediate y to uncover any security weaknesses.

:se the Scanner to measure and manage change on our network. 'ew vu nera+i ities

5( we discover a new vu nera+i ity4 contact Cisco Systems. :pdates to the vu nera+i ity ru es data+ase wi a so +e made avai a+ e to Cisco customers on a regu ar +asis. Check the (o owing :68 to down oad new updates: www.cisco.com,go,scanner ( )ow to use the scanner *his is main screen o( secure scanner.
he p Create new session C ick to +ring up pre(erence dia ogue +o7 Access 'SDB session rename session

)iew high ighted items/session3

de ete se ected session

0igure1 : Scanner Main Screen 1 (%1 Different


*o +u

ur ose of different o tion:


.o /et .hese - tions 0reate "ew Session 12it ,odify Session 0onfi&uration Delete Session

,enu - tions Ri&ht+click

Scanner Sessions Sa' le Session /or the name o( any other session3

Result Set 0hart "a'e /under the Charts su+(o der3 /rid "a'e /under the <rids su+(o der3 Re ort "a'e /under the 6eports su+(o der3

Rena'e Session 12it View /rid Data View 3ll )ost Data Delete Result Set 0reate "ew Re ort 12it View 0hart Rena'e 0hart Delete 0hart 12it View /rid Rena'e /rid Delete /rid 12it View Re ort Rena'e Re ort Delete Re ort 12it

(%2 0reate a new session (%2%1 What is a session? A Scanner session consists o( either a scan or a pro+e that we con(igure to search our network (or potentia and con(irmed security weaknesses. Scans inc ude nudges4 which are not user#con(igura+ e4 +ut rather work in the +ackground during the scan to o+tain more in(ormation. 9ith the in(ormation gathered (rom a session4 we can then create a comprehensive security po icy that can +e reassessed and updated on a regu ar +asis. 9e can schedu e network sessions at di((erent days and times4 as we as on a recurring +asis so that we are a ways aware o( the state o( our network security. A scan is a passive ana ysis techni-ue that identi(ies the open ports (ound on each ive network device and co ects the associated +anners (rom these open ports. .ach port +anner is compared against a data+ase o( ru es to identi(y the network device type4 its operating system4 and a potentia vu nera+i ities.

A nudge per(orms additiona nonintrusive -ueries when needed. As the Scanner scans network hosts (or active *CP and :DP ports it a so co ects =+anners= (rom the istening services. *hese +anners inc ude ogin prompts (rom *e net servers4 version messages (rom SM*P servers4 0*P server authentication prompts4 and so on. Most o( this +anner in(ormation is co ected when the Scanner connects to the port in -uestion and captures the response (rom the server. 5n some cases the Scanner must interrogate network services (urther +y issuing specia 4 protoco #speci(ic commands4 nudges4 to get security re evant in(ormation. 'udges are automatica y e7ecuted when the services they are designed to -uery are discovered on a network host. A probe is an active ana ysis techni-ue that uses the in(ormation o+tained during a scan to more (u y interrogate each network device. *he pro+e uses we #known e7p oitation techni-ues to (u y con(irm each suspected vu nera+i ity as we as to detect any vu nera+i ities that cannot +e (ound using passive techni-ues. *he main di((erence +etween a Scanner scan and a Scanner pro+e is that the scan is nonintrusive whi e the pro+e active y con(irms the presence o( known vu nera+i ities. (%2%2 ,ake a new session

0igure &a: Making a seesion


ip address o( the computer /which network to scan3 port num+er/which to check3 2ow o(ten need to scan

0igure &+: <iving ip address o( the network

"ote: 9e are using a eva uation copy o( the scanner. So due to the imitations o( the version we are a owed to scan on y one host at a time. But in the origina version we just need to give the (irst and ast computer>s ip address o( the network and ip address o( other computer/which does not have consecutive ip address3.

*CP ports ist/which are to +e scanned3

:DP ports ist3which are to +e scanned3

0igure &c: Se ecting the *CP and :DP ports

*ime/1&:"" pm3

dai y

every ? days succession

0igure &d:0i7ing the schedu e *his means the scanner wi scan at 1&:"" pm in every three days +asis i( the scanner is on. Progress +ar

0igure: Scanning is going on Basica y we have to (o ow these step to make a new session:

Ste

1 6ight#c ick the Scanner Sessions (o der4 and then c ick 0reate "ew Session

or c ick 0reate "ew Session on the too +ar. *his opens the Session 0onfi&uration dia og +o74 where you con(igure your session. Ste Ste 2 C ick the "etwork 3ddresses ta+ /de(au t3. ! Se ect the Scan network check +o7 /de(au t3.

Ste # Se ect the 1nable D"S Resolution check +o7 i( you want to (ind out whether the 5P address that you are scanning is associated with a name. Ste ( C ick 3dd to insert a data line.

Ste 4 5( you are con(iguring a session (or a sing e host4 see step @. 5( you are con(iguring a session (or a range o( hosts4 see Step A. 5( you want to e7c ude an address (rom a range o( hosts4 see Step %. 5( you are e7c uding a range o( 5P addresses (rom a range o( hosts4 see Step 1". Ste 5 0or a sing e host: /a3 C ick the I* 3ddress Be&in (ie d and type a va id 5P address o( a sing e host. /+3 8eave the 12cluded 3ddress4 I* 3ddress 1nd4 0orce Scan4 Ping *imeout4 and Ping 6etries (ie ds at the de(au t settings when scanning a sing e 5P address. Ste 6 0or a range o( hosts: /a3 C ick the I* 3ddress Be&in (ie d and type the (irst / owest3 5P address. /+3 C ick the I* 3ddress 1nd (ie d and type the ast /highest3 5P address. /c3 8eave the 12cluded 3ddress4 0orce Scan4 Ping *imeout4 and Ping 6etries (ie ds at the de(au t settings when scanning a range o( 5P addresses. Ste 7 *o e7c ude an address (rom the range o( hosts: /a3 C ick 3dd to insert another data line. /+3 Se ect the 12cluded 3ddress check +o7. /c3 C ick the I* 3ddress Be&in (ie d and type the 5P address to +e e7c uded. /d3 8eave the 8orce Scan4 *in& .i'eout4 and *in& Retries (ie ds at the de(au t settings. Ste 19 *o e7c ude a range o( addresses (rom a range o( hosts: /a3 C ick 3dd to insert another data line. /+3 Se ect the 12cluded 3ddress check +o7. /c3 C ick the I* 3ddress Be&in (ie d and type the /(irst3 owest 5P address in the range to +e e7c uded.

/d3 C ick the I* 3ddress 1nd (ie d and type the / ast3 highest 5P address in the range to +e e7c uded. /e3 8eave the 0orce Scan4 Ping *imeout4 and Ping 6etries (ie ds at the de(au t settings. Ste Ste Ste 11 C ick the Vulnerabilities ta+. 12 :nder Disco:ery Settin&s4 c ick the .0* *orts ta+ /de(au t3. 1! C ick one o( the (o owing options: "one###"o orts are scanned% ;ow *orts###A ports in the range o( 1#1"&B. Well+<nown *orts /de(au t3###Speci(ic ports such as D'S4 SM*P4 0*P4 *e net4 and so (orth. ;ow *lus Well+<nown###*CP ports 1#1"&B p us we #known services on ports a+ove 1"&B. 3ll *orts###*CP ports 1#!$$?$.

Ste Ste

1# :nder Disco:ery Settin&s4 c ick the $D* *orts ta+. 1( C ick one o( the (o owing options: "one###"o orts are scanned% Well+<nown *orts /de(au t3###Speci(ic ports such as D'S4 '0S4 *0*P4 and so (orth.

Ste 14 5( you are con(iguring a pro+e4 (o ow Steps 1@#1%. 5( you are con(iguring a scan4 continue with Step &". Ste 15 Se ect the 1nable acti:e robes check +o7.

*his a ows the Scanner to pro+e your network and con(irm vu nera+i ities. Ste 16 Choose an option (rom the Vulnerability *rofile drop#down ist. $ni2 )ea:y Windows )ea:y 3ll )ea:y $ni2 Se:ere 3ll ;ite Windows ;ite Windows Se:ere $"I= ;ite 3ll Se:ere

Ste 17 Cou can either use the de(au ts associated with each option or you can se ect the check +o7es ne7t to the vu nera+i ities that you want to con(irm. *here are thirteen categories with su+categories under each: D'S 0*P 0inger 2**P '0S '*

Ste Ste

'et+ios 6 ogin 6sh SM*P *0*P *e net D9indows 29 C ick the Schedulin& ta+. 21 5n the .i'e drop#down ist4 c ick the time you want to schedu e the session. *he de(au t is I''ediately.

Ste Ste Ste

22 Se ect a Recurrence *attern option: -nce /de(au t34 Daily4 Weekly4 or ,onthly. 2! *ype a va ue in the ,onth4 Day4 and >ear (ie ds. 2# C ick -< to +egin the session.

Make sure you have con(igured the "etwork 3ddresses4 Vulnerabilities4 and Schedulin& o tions correctly before be&innin& the session. *he "ew Session "a'e dia og +o7 appears on screen. Ste 2( *ype a name (or your session in the "ew Session "a'e dia og +o7 and c ick -<.

(%! 0reatin& new re ort:


Creating a new report

0igure ?a: Making the report

'ow resu t set create new report he ps us to make a comp ete vu nera+ e report.

*here are three types o( de(au t reports avai a+ e in the 6eport 9izard: 12ecuti:e Re ort: A summary report o( the session resu ts Brief .echnical Re ort: A short4 +ut technica summary o( the session resu ts 8ull .echnical Re ort: A (u report o( the session resu ts4 which inc udes detai ed4 technica in(ormation

(%!%1 De'o re ort:


0ound one vu nera+i ity 0igure B : 1 )u nera+i ity

)ere we try to

resent

art of a ori&inal re ort% Because our ori&inal re ort is

retty bi&

(%!%2 Su''ary of 8indin&s


0ate&ory Date ? .i'e Scan Duration 3ddress Ran&e@s) "u'ber of ;i:e )osts "u'ber of Vulnerabilities "u'ber of )i&h Se:erity Vulnerabilities "u'ber of ,ediu' Se:erity Vulnerabilities "u'ber of ;ow Se:erity Vulnerabilities "u'ber of *otential Vulnerabilities "u'ber of 0onfir'ed Vulnerabilities Descri tion

Sun Mar 10 01:00:05 EST 2002 2 minutes 23 seconds 192.168.0.3 1 1 1 0 0 1 0

(%!%! Reco''endations on the basis of the re ort


By per(orming network vu nera+i ity assessments4 management and network administrators have demonstrated a commitment to improving network security. A continued commitment

to enhanced security posture wi increase 2ome;s con(idence in the security o( its data. *he (o owing changes are recommended to improve network security: 6emove a desktop dia #in modems and provide users with secure4 monitored dia #in access through a centra ized modem poo . Disa+ e a services that are not re-uired to per(orm a device;s stated task. 5mp ement password se ection and contro to minimize the hazards o( poor or none7istent passwords. *rain users and system administrators on proper password usage (or a secure operating environment. Change de(au t con(igurations as appropriate (or each system. See the Detailed Vulnerability 3 endi2 (or speci(ic recommendations. 5nsta appropriate too s to (aci itate automation o( security monitoring4 intrusion detection4 and recurring network vu nera+i ity assessment. :se 60C 1%1A nonrouta+ e address + ock 1@&.1!."." (or the interna networks. 60C 1%1A addresses are designated as =interna on y= addresses and cannot +e routed across the 5nternet.

.7perience has shown that a (ocused e((ort to address the pro+ ems out ined in this report can resu t in dramatic security improvements. Most o( the identi(ied pro+ ems do not re-uire high#tech so utions4 just know edge o( and commitment to good practices. 0or systems to remain secure4 however4 security posture must +e eva uated and improved continuous y. .sta+ ishing the organizationa structure that wi support this ongoing improvements is essentia in order to maintain contro o( corporate in(ormation systems.

(%!%# Session *ara'eters


*ara'eter 3ddress S ace@s) Scanned .0* *orts Scanned $D* *orts Scanned Schedulin& Date Scan Started Date Scan Sto Scan Duration ed Descri tion

192.168.0.3 1-65535 22, 42, 53, 67, 68, 69, 111, 161, 201-208, 512, 513, 514, 517, 2049, 5632, 7648-7652, 31337 nce on Sun Mar 10 00:59:40 EST 2002 !mmediate"# Sun Mar 10 01:00:05 EST 2002 Sun Mar 10 01:02:29 EST 2002 2 minutes 23 seconds

(%!%( Sco e and 8indin&s


*he purpose o( a Cisco Secure Scanner scan is to identi(y vu nera+i ities in an enterprise;s network assets. *he Scanner can identi(y routers4 switches4 (irewa s4 hu+s4 print and (i e servers4 and hosts. 5t can a so identi(y operating systems and network services running on identi(ied network devices.

*his in(ormation constitutes an e((ective e ectronic map (rom which the Scanner can easi y +ase e7p oitation to con(irm vu nera+i ities. 0or the address spaces ana yzed4 the Scanner discovered a tota o( 1 ive hosts. *he (o owing ta+ e summarizes ive hosts4 potentia y vu nera+ e hosts4 and con(irmed vu nera+ e hosts:

(%!%4 Su''ary of 8indin&s


3ddress S ace ;i:e )osts *otential Vulnerabilities 0onfir'ed Vulnerabilities 1%&.1!A.".? 1 1 "

*he (o owing ta+ e summarizes vu nera+i ity counts sorted +y severity: Vulnerability 0ount by Se:erity Se:erity ;e:el .otal )osts 3ffected .otal Vulnerabilities ? /2igh3 & /Medium3 1 /8ow3 1 " " 1 " "

Rankin& of Ser:ices Runnin& by 8reAuency 3ddress S ace@s) Ser:ice "a'e 'etB5ES : msrpc 9e+ : http 6emote#Access : ssh 0ount 1 1 1

192.168.0.3

Rankin& of *otential Vulnerabilities by 8reAuency 3ddress S ace *otential Vulnerability 0ount

1%&.1!A.".? ? : Access : SS2.6SA6.0#Ever( ow : )p : 1""!" ',A ',A

1 ',A ',A

*he (o owing ta+ e summarizes the three most (re-uent y (ound con(irmed vu nera+i ities in the address space/s3 scanned:
Rankin& of 0onfir'ed Vulnerabilities by 8reAuency 3ddress S ace 0onfir'ed Vulnerability 0ount

1%&.1!A.".? ',A ',A

',A ',A

',A

',A

(%!%5 Result fro' D3.3B3S1


'ow this is the de(inition and possi+ e so ution o( detected vu nera+i ity o( our network which is discussed a+ove. We &et this result for' "etwork Security Datbase@ Which co'es with the software)

SS) RS3R182 Buffer -:erflow


0isco ID: 1""!" Se:erity ;e:el: 3ffected Syste'@s): Vulnerability .y e: 0V1 ID: C).#1%%%#"A?B 12 loit .y e:

- eratin& Syste' Version + 3rchitecture A Systems Any # Any

*ro&ra' 3ffected *ro&ra'@s): SS2 SS2 Vendor 3liases:

Software *ro&ra' Software *acka&e Version *acka&e Version 1.&.&@ Any ',A ',A 3liases rsare(#+o ssh#rsare(#+o ',A ',A

D0orce Data+ase

0igure $:Brie( description o( our pro+ em


(%!%5%1 Descri tion: )ersions o( ssh and sshd compi ed using the ##with#rsare( option are vu nera+ e to +u((er over( ow. *he +ug is present in a versions o( SS214 up to and inc uding 1.&.&@. During key e7change4 the 6SA6.0& i+rary does not +ounds check the ength o( the key it is passed. *he over( ow can occur on either c ient or server. (%!%5%2 0onseAuence@s): 5t is possi+ e to e7ecute ar+itrary commands as the user that runs the 6SA6.0& code. 0or SS2 up to 1.&.&@ compi ed with 6SA6.0& this imp ies the remote e7ecution o( ar+itrary commands as root. (%!%5%! 0ounter'easure@s): A patch provided +y SS2 Communications is avai a+ e (rom the C.6*,CC we+ site. *his version o( the patch has +een signed +y the C.6*,CC. :se a version o( the 6SA imp ementation that is not vu nera+ e to this attack. As o( Septem+er &"""4 the 6SA patent has e7pired and there is no reason to use 6SA6.0 :se the Epen Source version o( SS2 /http:,,www.openssh.org3 (%!%5%# 3d:isory@s): Bu((er Ever( ows in SS2 daemon and 6SA6.0& 8i+rary (%!%5%( Related Info ;ink@s): http:,,www.cert.org,advisories,CA#%%#1$#6SA6.0&.htm

(%!%5%4 8i2B$ &radeB*atch ;ink@s): http:,,www.cert.org,advisories,CA#%%#1$,ssh#patch.t7t (%!%5%5 12 loit ;ink@s): (tp:,,(tp.core#sdi.com,pu+,e7p oits,ssh#rsare(#+o I' ortant "ote: (%!%! is co' letely taken fro' ori&inal re ort

/rid Data
vu nera+i ity

view option

1 vu nera+i ity detected

0igure !: <rid Data/ By ):8,2ost3

,akin& chart fro' /RID data 5n this e7amp e we have just on y one vu nera+i ity4 so we cannot make a graph (rom that data. But there is samp e session comes with this eva uation so(twate4 we make a graph +y using that e7amp e.
vu nera+i ity Se ected co umn 2ost 5P

0igure @: <rid Data o( di((erent network *o create a chart (rom your grid data4 (o ow these steps: Ste Ste 1 0rom the <rid Browser4 high ight the ce s that we want to chart. 2 C ick 0reate 0hart on the too +ar

Er right#c ick the high ighted ce s and c ick 0hart on the pop#up menu. By using the a+ove data we make the (o owing pie chart

0igure A:Chart (rom grid data


'o vu nera+i ity (ound

0igure %: 'o vu nera+i ity (ound

0onclusion *his is tru y a good network secure scanner +ecause it not on y he p to diagnose and repair security pro+ ems in networking environments4 it a so generate a very good report. By using the report we can (i7 our pro+ em. Another good thing o( this so(tware is that it comes with a 'etwork Security Data+ase4 which contains most o( the e7isting network scanning pro+ em. 0rom our /our group3 point o( view this is a comp ete network secure scanner +y C5SCE. 9e cou d not e7p ore more advanced scanning (aci ities due to the imitations o( the eva uation version o( the so(tware.

You might also like