Vulnerabilities Remotely Scanned by ISS

Admind

Alerter and Messenger Services

All Access NetBIOS share— Everyone

All Access NetBIOS share— Guest

All Access NetBIOS share

Anonymous FTP

Bootparam

Brute-Force

Brute-Force Netware FTP

Brute-Force Cisco

CGI Exec

Check Share Passwords

Data Flood

Echo, Chargen, Time, and Daytime Services

Files Obtained

Finger

Finger Bomb

Finger Names

Finger Output

FTP CD ∼root Bug

FTP Site Exec

FTP Writable

Guess cgi-bin

IIS “.bat” and “.cmd” Bug

IP Spoofing

Kerberos IV Brute Force

Kerberos IV User Peek

Lan Manager Security

Linux Time Bomb

List cgi-bin

Microsoft “cd ..” Bug

Microsoft Network Client Password Cache

NetBIOS Null Session

NetBIOS Share

Netstat Check

NFS

NFS Access Files

NFS CD .. Bug

NFS Cache

NFS Export

NFS mknod

NFS Portmapper Export

NFS Sun File Handle Guess

NFS UID

NFS Write

NIS

Open/Close Flood

Open NetBIOS Share

Out of Band Crash

Password Permutations

phf Check

PCNFSD

Ping Bomb

Ping ‘O Death

Popd/Imapd

Proxy Scan

Rexd

Rexec Service

RIP Spoofing

Rlogin froot

Root Dot Dot

Routed

RPC/NIS Update

RPC Pcnfsd

RPC Statd

Rsh

Rsh Null Account

Rstat

Rstat Output

Ruser

Rwhod

Selection Service

Sendmail Debug Mode

Sendmail EXPN

Ident Service Test

Sendmail Identd Bug

Sendmail Remote Execution

Sendmail Syslog

Sendmail VRFY

Sendmail Wizard Backdoor

SNMP

SOCKS Scan

SYN Storm

Sysstat

System Log Flood

Telnetd Linker

TFTP (Trivial File Transfer Protocol)

Traceroute

Trusted Hosts

UDP Bomb

Ultrix NFS Remount Bug

Unresolved HTTP Link

UUCP

Vulnerable HTTP Servers

Vulnerable NNTP Server

Window NT Active Server Page Bug

Windows NT DNS Server

Windows NT 4.0 beta

Writable NetBIOS share— Everyone

Writable NetBIOS share— Guest

Wall

Writable NetBIOS Share

WWW Directories without an index

WWW Proxy Penetrated

X25

X Window System

Earlier we mentioned that most remote scanners cannot peer into your system like local scanners do. Actually, some protocols, such as RPC and NIS, can be used by remote scanners to peek inside your system much like local processes. For example, in older implementations of NIS, you could get a copy of the password file by running ypcat on remote nodes in the NIS domain. Remote vulnerability scanners use some of these protocol techniques to look for weaknesses in your systems, too.

Where Is ISS Headed?

By the time this book is published, you can expect to find ISS rounding out its offerings with a system-level IDS as well. Other vendors are acquiring or developing complementary technologies, too, to offer scanners, network, and system IDSs individually or as part of a suite. When this occurs, you will benefit from common configuration files, similar user interfaces, and a common management framework (or console).

Other Scanners

A number of other scanners are in the market today. Two others are mentioned here. The list of competitors is growing almost daily. Ballista, developed by Secure Networks, Inc., is now owned and marketed by Network Associates. The IBM Network Security Auditor (NS Auditor) is another alternative primarily for UNIX systems.

Ballista

Developed under the leadership of Alfred Huger, Ballista boasts the largest list of vulnerabilities detected for UNIX systems. Although systems management and scalability features are clearly important to many customers, there seems to be a laundry-list factor in how purchase decisions are made. Whether the list of attacks scanned becomes the distinguishing feature for the market leader in scanners remains to be seen.

Ballista is a remote scanner that provides informative graphical reporting on results. The list of attacks is too long to include here, but you can find it at www.secnet.com or at www.neta.com (the Network Associates site). Not only does Ballista have an impressive list of recognized vulnerabilities, but the IDS is based on an extensible architecture known as CAPE. This leads to some very interesting possibilities. You can build your own attack patterns to scan or plug Ballista into other products.

IBM Network Security Auditor

The IBM Firewall is packaged with the Network Security Auditor remote scanner as an added bonus. The NS Auditor has its roots in the days of the Internet Worm incident. Two scientists at IBM Research were nose down in graduate school at Texas A&M University when the Worm hit. Not long after that incident, several other attacks were launched on the Internet. Dave Safford and Doug Schales were involved in discovering, monitoring, and repairing the damage caused by these attacks. The results of their efforts are widely distributed as the TAMU Tiger package. These two are also the initial authors of NS Auditor.

The NS Auditor is unique in that it uses heuristics (AI techniques) to make some decisions during its scanning phase. A wide range of options also can be specified for controlling the scan, including the following:

•  Time-out limits for open port connections

•  Whether to walk anonymous ftp trees looking for writable directories

•  Factors affecting the speed of the scan

At this time, IBM does not offer NS Auditor as a separate product, although the tool is used by IBM consultants. The version of NS Auditor that ships with the firewall is limited to scanning an individual subnet of addresses rather than being wide open to scanning any addresses. Other scanners impose the same limitations using a license-key mechanism. The reason is simple—the difference between a network assessment and a network penetration attempt depends on the person running the scanner. A scanner with no limitations on network addresses for targets could be used to probe systems throughout the Internet.

Keeping the Scanners Current

Most scanners rely on knowledge of historical problems rather than on predictive capabilities. Because a new exploit is discovered at least every week, keeping the scanning database up to date is necessary. Companies that aggressively market intrusion detection products often maintain a skilled set of researchers who monitor newsgroups, communicate with the underground, and generate original results to find new hacks to add to the products. The X-Force team is one good example (www.iss.net/xforce). Others include the squads at Secure Networks Inc. (SNI, now part of Network Associates) and the WheelGroup (now part of Cisco). L0pht Heavy Industries is particularly skilled and has reported many important findings.