CyberCop Scanner Getting Started Guide

CyberCop Scanner 

for Windows NT and Windows 2000 

Getting Started Guide 

Version 5.5

COPYRIGHT 

Copyright © 1998-2000 Networks Associates Technology, Inc. All Rights Reserved. No part of this 

publication may be reproduced, transmitted, transcribed, stored in a retrieval system, or translated into 

any language in any form or by any means without the written permission of Networks Associates 

Technology, Inc., or its suppliers or affiliate companies. 

LICENSE AGREEMENT 

NOTICE TO ALL USERS: FOR THE SPECIFIC TERMS OF YOUR LICENSE TO USE THE 

SOFTWARE THAT THIS DOCUMENTATION DESCRIBES, CONSULT THE README.1ST, 

LICENSE.TXT, OR OTHER LICENSE DOCUMENT THAT ACCOMPANIES YOUR SOFTWARE, 

EITHER AS A TEXT FILE OR AS PART OF THE SOFTWARE PACKAGING. IF YOU DO NOT 

AGREE TO ALL OF THE TERMS SET FORTH THEREIN, DO NOT INSTALL THE SOFTWARE. 

IF APPLICABLE, YOU MAY RETURN THE PRODUCT TO THE PLACE OF PURCHASE FOR A 

FULL REFUND. 

NETWORK ASSOCIATES TRADEMARK ATTRIBUTIONS 

* ActiveHelp, Bomb Shelter, Building a World of Trust, CipherLink, Clean-Up, Cloaking, CNX, 

Compass 7, CyberCop, CyberMedia, Data Security Letter, Discover, Distributed Sniffer System, Dr 

Solomon’s, Enterprise Secure Cast, First Aid, ForceField, Gauntlet, GMT, GroupShield, HelpDesk, 

Hunter, ISDN Tel/Scope, LM 1, LANGuru, Leading Help Desk Technology, Magic Solutions, MagicSpy, 

MagicTree, Magic University, MagicWin, MagicWord, McAfee, McAfee Associates, MoneyMagic, More 

Power To You, Multimedia Cloaking, NetCrypto, NetOctopus, NetRoom, NetScan, Net Shield, NetShield, 

NetStalker, Net Tools, Network Associates, Network General, Network Uptime!, NetXRay, Nuts & Bolts, 

PC Medic, PCNotary, PGP, PGP (Pretty Good Privacy), PocketScope, Pop-Up, PowerTelnet, Pretty 

Good Privacy, PrimeSupport, RecoverKey, RecoverKey-International, ReportMagic, RingFence, Router 

PM, Safe & Sound, SalesMagic, SecureCast, Service Level Manager, ServiceMagic, Site Meter, Sniffer, 

SniffMaster, SniffNet, Stalker, Statistical Information Retrieval (SIR), SupportMagic, Switch PM, 

TeleSniffer, TIS, TMach, TMeg, Total Network Security, Total Network Visibility, Total Service Desk, 

Total Virus Defense, T-POD, Trusted Mach, Trusted Mail, Uninstaller, Virex, Virex-PC, Virus Forum, 

ViruScan, VirusScan, VShield, WebScan, WebShield, WebSniffer, WebStalker WebWall, and ZAC 2000 

are registered trademarks of Network Associates and/or its affiliates in the US and/or other countries. All 

other registered and unregistered trademarks in this document are the sole property of their respective 

owners.

Table of Contents 

Preface..................................................... ix 

SystemRequirements ............................................ix 

HowtoUsetheGettingStartedGuide ................................x 

PartI:GettingStarted .........................................x 

PartII:AdvancedFeatures ....................................xi 

PartIII:Appendices ..........................................xi 

NetworkAssociatesContactInformation.............................xii 

Part One: Getting Started 

Chapter1. CyberCopScannerinActiveSecurity.................1-1 

Introduction . . . . . . . . . . ..........................................1-1 

About Active Security . . ..........................................1-2 

BenefitsofActiveSecurity .......................................1-3 

HowActiveSecurityWorks .......................................1-4 

KeepingActiveSecuritySecure:DigitalCertificates ..............1-6 

WheretoGoFromHere ..........................................1-7 

Chapter2. InstallingCyberCopScanner ........................2-1 

Introduction . . . . . . . . . . ..........................................2-1 

Installing CyberCop Scanner . . . . . . . . . .............................2-2 

Installing the CASL Interpreter . . . . . . . .............................2-5 

Uninstalling CyberCop Scanner . . . . . . .............................2-6 


Chapter3. GettingStarted:PerformingaScan ..................3-1 

Introduction . . . . . . . . . . ..........................................3-1 

About CyberCop Scanner . . . . . . . . . . . .............................3-2 

About the Security Management Interface (SMI) . . . . . . . . . .............3-3 

CyberCop Scanner Getting Started Guide 

i


QuickTouroftheSMIConsole ....................................3-4 

TheServicesNode ..........................................3-5 

TheRepositoryNode ........................................3-5 

The Local Computer Node . . . . . . . .............................3-6 

TheReportViewer(RightPaneoftheSMIConsole) ..............3-6 

LoadingConfigurationFiles ......................................3-7 

About Configuration Files . . . . . . . .............................3-7 

About the Setup Walkthrough Program . . . . . . . . . . . . .............3-9 

DNSandNISDomainNames .............................3-9 

FakeDNSServerName.................................3-10 

IPRangetoScan ......................................3-10 

ModuleConfigurationTemplate..........................3-11 

ScanSettingsTemplate ................................3-11 

UsingtheDefaultConfigurationFile ..........................3-12 

SettingUpaNewConfigurationFile ..........................3-14 

CreatingaNewConfigurationFile ........................3-14 

Selecting and Deselecting Modules . . . . . . . . . . . ............3-16 

CreatingandEditingScanSettingsTemplates .............3-19 

Creating and Editing Module Configuration Templates . . . . . . . 3-21 

LoadinganExistingConfigurationFile ........................3-24 

Probing for Responsive Hosts . . . . . . . ............................3-25 

StartingaProbe ...........................................3-26 

Stopping a Probe . .........................................3-26 

ScanningaHost ...............................................3-27 

StartingaScan ............................................3-27 

ScanningOveraModem ....................................3-28 

ViewingCurrentlyRunningModules ..........................3-29 

Stopping Currently Running Modules . . . . . . . . . . . . . ............3-30 

ViewingResultsDuringaScan...............................3-31 

CancelingaScan ..........................................3-32 

ii 

Table of Contents


ScanningMultipleHosts ........................................3-33 

About Scanning Multiple Hosts . . ............................3-33 

SpecifyingaHostRange................................3-33 

SpecifyingaHostFile ..................................3-33 

EnteringaRangeofIPAddresses........................3-34 

ScanningUsingaHostRange ...............................3-35 

ScanningUsingaHostFile ..................................3-35 

UsingFixItModules ............................................3-36 

PerforminganInitialScan ...................................3-37 

Enabling and Disabling Fix It Modules . . . . . . . . . . . . . ............3-37 

Running Fix It Modules . . . . . . . . . ............................3-38 

ExitingCyberCopScanner.......................................3-39 

WheretoGoFromHere .........................................3-40 

Chapter4. WorkingWithScanResults..........................4-1 

Introduction . . . . . . . . . . ..........................................4-1 

SavingScanResults.............................................4-2 

About Scan Results . . . . . . . . . . . . .............................4-2 

About the Event Database . . . . . . . .............................4-2 

SavingResultsinanEventDatabase ..........................4-3 

Specifying an Event Database for Saving Results: 

InCyberCopScanner .................................4-3 


In the SMI Console Window . . . . . . . . . . . . . . . .............4-3 

ConfiguringanEventDatabase ...............................4-5 

ViewingScanResults............................................4-6 

ViewingResultsDuringaScan................................4-6 

ViewingResultsinanEventDatabase..........................4-8 

Opening the Report Viewer: In CyberCop Scanner . . . . . . . . . . . 4-8 

Opening the Report Viewer: In the SMI Console Window . . . . . 4-8 

UsingtheReportViewerTabs ...............................4-10 

TheResultsTab.......................................4-10 

TheReportListTab....................................4-11 

TheChartTab.........................................4-13 

TheQueryTab ........................................4-13 


iii


QueryinganEventDatabase.................................4-14 

GeneratingScanReports........................................4-16 

SelectinganEventDatabasetoGenerateaReport ..............4-16 

Specifying an Event Database to Generate a Report: 

InCyberCopScanner ................................4-16 


In the SMI Console Window . . . . . . . . . . . . . . . ............4-17 

GeneratingaReport........................................4-18 

GeneratingaDifferentialReport ..............................4-20 

CustomizingaReport ......................................4-21 

PreviewingaReport........................................4-24 

ExportingaReport .........................................4-27 

PrintingaReport ..........................................4-27 

GeneratingNetworkMaps .......................................4-28 

GeneratingaNetworkMap ..................................4-28 

ViewingaNetworkMap .....................................4-29 


Chapter 5. Using Brute Force Password Guessing Functions. . . . . . . 5-1 

Introduction . . . . . . . . . . ..........................................5-1 

About Password Guessing Functions . .............................5-2 

UsingtheCrackUtility ...........................................5-3 

About the Crack Utility . . . . . . . . . . .............................5-3 

Running Crack . . . ..........................................5-4 

CrackScreenControls.......................................5-6 

UsingtheSMBGrindUtility .......................................5-7 

About SMBGrind . ..........................................5-7 

Running SMBGrind . . . . . . . . . . . . .............................5-8 

SMBGrindScreenControls ...................................5-9 


iv 

Table of Contents


Chapter 6. Running IDS (Intrusion Detection Software) Tests . . . . . . 6-1 

Introduction . . . . . . . . . . ..........................................6-1 

About IDS Tests . . . . . . ..........................................6-2 

PerformingIDSTests ............................................6-3 


Chapter 7. Using CASL Modules to Run Firewall Filter Checks. . . . . . 7-1 

Introduction . . . . . . . . . . ..........................................7-1 

About CASL Modules . . ..........................................7-2 

SettingUptoRunFirewallFilterChecks ............................7-3 

Running Firewall Filter Checks . . . . . . . .............................7-5 


Chapter 8. AutoUpdate: Updating CyberCop Scanner Files . . . . . . . . 8-1 

Introduction . . . . . . . . . . ..........................................8-1 

About the AutoUpdate Feature . . . . . . . .............................8-2 

UpdatingCyberCopScanner ......................................8-3 

UpdatingCyberCopScannerNowUsingAutoUpdate .............8-3 

Updating CyberCop Scanner Periodically Using AutoUpdate . . . . . . . 8-6 

DeletingScheduledUpdates ......................................8-9 


Part Two: Advanced Features 

Chapter 1. Using NTCASL to Generate Custom Audit Packets . . . . . . 1-1 

Introduction . . . . . . . . . . ..........................................1-1 

About CASL (Custom Audit Scripting Language) . . . . . . . . .............1-2 

CreatinganExamplePacket ......................................1-3 

CASLScreenControls ...........................................1-6 

TheCASLScreen ...........................................1-6 

CASLMenus ...............................................1-7 

CASL Toolbar . . . . ..........................................1-9 

CASLListbox .............................................1-10 



v


Chapter2. TheVulnerabilityDatabaseEditor ....................2-1 

Introduction . . . . . . . . . . ..........................................2-1 

About the Vulnerability Database . . . . . .............................2-2 

About Module Records . ..........................................2-3 

FlagsandSeveritySettings ..................................2-3 

Flags .................................................2-3 

Impact ................................................2-3 

RiskFactor ............................................2-4 

Complexity . . ..........................................2-5 

RootCause............................................2-6 

FixEase ..............................................2-6 

Popularity .............................................2-7 

ModuleDescriptions ........................................2-8 

ShortDescription.......................................2-8 

VerboseDescriptions ...................................2-8 

ModuleParameters .........................................2-8 

VulnID ................................................2-8 

Timeout...............................................2-8 

Editing Module Records ..........................................2-9 

Exporting Modules . . . . .........................................2-11 

Summary . . . . . . . . . . . . .........................................2-12 

Part Three: Appendices 

Appendix A. A Guide to CASL (Custom Audit Scripting Language) . . A-1 

Introduction . . . . . . . . . . ..........................................A-1 

About CASL . . . . . . . . . . ..........................................A-2 

ProgrammingWithCASL .........................................A-3 

StructuringCASLPrograms ..................................A-3 

vi 

Table of Contents


UnderstandinganExampleCASLProgram .....................A-4 

Step One: Defining TCP/IP Packets . . . . . . . . . . . .............A-5 

StepTwo:CreatingaTCPSYNPacket .....................A-5 

Step Three: Specifying a Destination Host 

fortheTCPSYNPacket ...............................A-5 

Step Four: Combining TCP SYN and IP Headers .............A-6 

StepFive:OutputtingtheTCPSYNPacket..................A-6 

StepSix:DefiningPortConnections .......................A-6 

Step Seven: Sending Connection Requests to Ports . . . . . . . . .A-7 

StepEight:ReadingTCPResponses ......................A-7 

StepNine:DeterminingTCPResponseTypes ...............A-7 

StepTen:VerifyinganOpenPortConnection ...............A-8 

Step Eleven: Evaluating the Completed Program . . . . . . . . . . . .A-8 

CASLReference ...............................................A-10 

ProgramStructure .........................................A-11 

Statements ...........................................A-11 

Variables.............................................A-11 

Syntax...............................................A-12 

ControlStatements ....................................A-14 

Lists .....................................................A-18 

ListCreation..........................................A-18 

Recursion ............................................A-18 

ListOperators ........................................A-19 

ListControl...........................................A-20 

PacketHeaders............................................A-21 

Definition ............................................A-21 

Instantiation ..........................................A-22 

FieldReference .......................................A-22 

SpecialFields.........................................A-22 

BufferSize ...........................................A-22 

BufferScale ..........................................A-23 

StructureExtraction ...................................A-23 


vii


Subroutines ..............................................A-24 

Declaration ...........................................A-24 

Argument Passing . . . . . . . . . ............................A-24 

Variable Argument Lists . . . . ............................A-25 

ReturnValues.........................................A-25 

Scope ...............................................A-25 

CASL Built-in Functions .........................................A-27 

Network I/O Built-in Functions . . . ............................A-27 

The IP Output Function . . . . . ............................A-27 

TheIPFixupFunction ..................................A-27 

The IP Input Function . . . . . . ............................A-28 

The IP Filters Function . . . . . ............................A-28 

The IP Range Function . . . . . ............................A-28 

File I/O Built-in Functions . . . . . . . ............................A-29 

MISC(Miscellaneous)Built-inFunctions.......................A-30 

Summary . . . . . . . . . . . . .........................................A-32 

Appendix B. Scanning: Command Line Options . . . . . . . . . . . . . . . . . . B-1 

Introduction . . . . . . . . . . ..........................................B-1 

Running Scans From the Command Line . . . . . . . . . . . . . . .............B-1 

engine ....................................................B-1 

Summary . . . . . . . . . . . . ..........................................B-3 

Glossary...................................................G-1 

viii 

Table of Contents

Preface 

This preface includes important information about CyberCop Scanner. We 

recommend that you read this preface thoroughly before using CyberCop Scanner. 

System Requirements 

The minimum system requirements that must be met to install and use the Security 

Management Interface and CyberCop Scanner are as follows: 

• Windows NT 4.0 with Service Pack 4.0 

• Internet Explorer 4.0 SP1 

• 266 MHz Pentium II processor 

• 128 MBofRAM 

• 200 MB of free disk space 

NOTE: This release of CyberCop Scanner and the Security Management 

Interface was tested under Windows NT 4.0 and Windows 2000 RC2. This 

release of CyberCop Scanner has not been fully tested with Internet Explorer 5.0. 

We also recommend that you obtain the Microsoft Data Access Components (MDAC) 

2.1 SP2, which can be downloaded from the Microsoft web site at 

http://www.microsoft.com/data/download.htm, even though it is not required. 

If your system does not meet the above-listed requirements, you must upgrade the 

system accordingly before installing CyberCop Scanner, which includes the Security 

Management Interface. 


ix

Preface 

How to Use the Getting Started Guide 

This Getting Started Guide is divided into three parts. The parts include the following: 

• Part I: Getting Started 

• Part II: Advanced Features 

• Part III: Appendices 

The contents of the above-listed parts are described below. 

Part I: Getting Started 

Chapter 1, “CyberCop Scanner in Active Security,” describes how CyberCop Scanner 

works when it is integrated into the Active Security suite of NAI products. CyberCop 

Scanner can be used as a standalone product. Or, it can be used with other NAI 

products in the Active Security suite. 

Chapter 2, “Installing CyberCop Scanner,” includes step-by-step instructions for 

installing and uninstalling CyberCop Scanner. It also includes instructions for 

installing the CASL interpreter. Once you complete this chapter, you will be ready to 

begin the tutorial chapters. 

Chapter 3, “Getting Started: Performing a Scan,” is the first of several tutorial chapters. 

Chapter 3 leads you through configuring CyberCop Scanner and performing a scan. 

Chapter 4, “Working With Scan Results,” explains how scan results are saved. It also 

teaches you how to view scan results and generate scan reports and network maps 

using the scan results you obtained in Chapter 3. 

Chapter 5, “Using Brute Force Password Guessing Functions,” teaches you about the 

Crack utility and the SMB Grind utility. It includes a discussion of the Crack and SMB 

Grind utilities and instructions on how to use them. 

Chapter 6, “Running IDS (Intrusion Detection Software) Tests,” includes an 

explanation of the IDS testing tool for testing your intrusion detection software as well 

as a procedure for conducting IDS tests. 

Chapter 7, “Using CASL Modules to Run Firewall Filter Checks,” includes 

instructions for running filter checks on firewalls, screening routers, and other gateway 

machines using module class 12000, a class of modules written in the custom audit 

scripting language (CASL). 

Chapter 8, “AutoUpdate: Updating CyberCop Scanner Files,” explains how to 

download the most current CyberCop Scanner update packs (i.e. compressed files) 

from NAI’s FTP site to your system. 

x 

Preface

Part II: Advanced Features 

Part II: Advanced Features explains advanced functions of CyberCop Scanner. 

Preface 

Chapter 1, “Using NTCASL to Generate Custom Audit Packets” describes the 

CyberCop Scanner NTCASL user interface that allows you to generate custom packets 

that use the custom audit scripting language. You can then send your custom packets 

to a destination host to check for security holes in a network. You construct packets 

using tools provided in the NTCASL user interface. It is not necessary to know the 

custom audit scripting language to use the NTCASL user interface. 

Chapter 2, “The Vulnerability Database Editor,” is a brief introduction to the 

Vulnerability Database Editor. 

Part III: Appendices 

Part III: Appendices includes appendices that describe additional features of 

CyberCop Scanner. 

Appendix A, “CASL Reference Guide,” provides a detailed explanation of the custom 

audit scripting language (CASL) which you can use to write your own scripts using a 

text editor and run them using the CASL interpreter of CyberCop Scanner. 

Appendix A includes a description of CASL program structure and syntax, as well as 

a programming guide. 

Appendix B, “Scanning: Command Line Options,” contains options for running the 

scan engine from the command line. 

NOTE: The CyberCop Scanner Getting Started Guide is provided as a PDF file 

which you can print. If you are viewing the CyberCop Scanner Getting Started 

Guide using a PDF viewer, we strongly recommend that you view the file using 

Adobe Acrobat Reader. You can download a copy of Acrobat Reader from the 

Adobe Systems Incorporated web site: 

http://www.adobe.com/prodindex/acrobat/readstep.html. 

Follow the download instructions, and then click Download to download Adobe 

Acrobat Reader to your system. 


xi

Preface 

Network Associates Contact Information 

You can contact Network Associates to order products, obtain product information, or 

get technical support. In this section, you will find information on how to contact us. 

If you would like to order Network Associates products or obtain product information, 

contact us at the following address and phone number: 

Network Associates, Inc. 

3965 Freedom Circle 

Santa Clara, CA 95054 

U.S.A. 

Tel: 972-308-9960 

You may direct all questions, comments and technical support requests to the Network 

Associates Customer Care department at any of the addresses or phone numbers listed 

below. Before you contact us for support, please have the following information ready: 

• product name and version number 

• operating system and version number along with any service packs and hotfixes 

you may have installed 

• computer brand and model, including CPU speed and RAM 

• steps to reproduce the problem you are having with the product 

We encourage you to use our site on the World Wide Web to get help with product 

support issues. Our site on the World Wide Web is http://support.nai.com. On our 

site, you can find answers to frequently asked product questions, virus information, 

and software updates. 

If you do not find information on the World Wide Web or do not have access to the 

World Wide Web, try to obtain help using one of Network Associates’ automated 

services listed below. 

Internet: support@nai.com 

CompuServe: GO NAI 

America Online: keyword NAI 

If Network Associates’ automated services do not have the desired information, 

contact us at the appropriate phone or fax number below. You can contact us Monday 

through Friday between 6:00 A.M. and 6:00 P.M Pacific time. 

xii 

Preface

Preface 

For corporate-licensed customers: 

Tel: 972-308-9960 

Fax: 408-970-9727 

For retail-licensed customers: 

Tel: 972-855-7044 

Fax: 408-970-9727 


xiii

Preface 

xiv 

Preface

Part One: Getting Started 

1

1CyberCop Scanner 

in Active Security 

Introduction 

1 

CyberCop Scanner can be used as either a standalone product or a product in the 

Active Security suite. This chapter describes the Active Security suite and CyberCop 

Scanner’s role in the suite. 

CyberCop Scanner Getting Started Guide 1-1

CyberCop Scanner in Active Security 

About Active Security 

The Active Security suite of products is an evolutionary step in enterprise security: 

entirely automated enforcement of network security policies. Active Security enables 

you to take a proactive role in protecting your network by detecting vulnerabilities and 

responding to them. 

The Active Security concept is implemented as a highly integrated family of Network 

Associates software components, all working in concert to automatically detect and 

address any security vulnerabilities in your network that would violate your 

organization’s security policies. 

The Active Security integrated product family is comprised of the following Network 

Associates products: 

• CyberCop Scanner is a network security assessment tool that can scan devices 

on your network for more than 700 vulnerabilities. You configure CyberCop 

Scanner to search for the vulnerabilities that concern you, in accordance with your 

security policy. We call CyberCop Scanner a sensor component because it scans 

the network for vulnerabilities. 

• Event Orchestrator receives messages from sensors on the network and then, 

based on your security policy, processes them and decides whether to send action 

messages to the Active Security actor components in response to them. You 

configure Event Orchestrator to respond to particular vulnerabilities in a manner 

that best enforces your security policies. Event Orchestrator is called an arbiter. 

• Gauntlet Firewall for Windows NT and Unix are the most secure firewalls on the 

market today. Gauntlet Firewall takes instructions from the arbiter and responds 

in a manner of your choosing. Gauntlet Firewall is an actor component. 

• Net Tools PKI Server supports secure, strongly authenticated communication 

among the sensor, the arbiter, and the actors by furnishing each product with 

X.509 certificates. 

The separately available McAfee HelpDesk and Magic Total Service Desk products 

can also be used as Active Security actors. 

You configure Active Security and your network to implement your security policies. 

Active Security takes it from there, watching your network for security holes and 

automatically triggering your designated response whenever it finds one, like a 

vigilant guardian. 

1-2 Chapter 1

Benefits of Active Security 


The Internet and the increasingly complex security needs of today’s geographically 

distributed “virtual” corporations are pushing the limits of what a corporate IT 

department can be reasonably expected to handle. Network administrators are being 

asked to protect more and more with limited resources. 

Most system failures are due to user error, not product flaw or hacker attack. Security 

vulnerabilities are most often introduced accidentally by the very people the system 

administrator is trying to protect: the sometimes naive internal user. Detecting and 

correcting these multiplying vulnerabilities as they arise takes constant work because 

existing security analysis tools make it too hard to be thorough and fast enough — they 

generate huge amounts of data, force you to parse it all, and then it still takes a further 

human decision and a manual action, like running a program to shut down a network 

port, to address each problem. An administrator simply can’t be everywhere at once. 

There are lots of tools for finding network security vulnerabilities, and you may think 

that simply using the tools is enough. This is a dangerous misconception. What 

matters is what you configure them to look for, and what actually happens when they 

find vulnerabilities. Without a network security policy tailored to your particular 

requirements, no network security tool can effectively protect you. 

In other words, you need to have a network security policy that reflects your 

organization’s security goals, and you need to be certain that your policy is being 

reliably carried out. This means that the security system needs to actually implement 

the policy, actively responding to vulnerabilities as they’re detected, working 

automatically rather than waiting for a human’s attention. Only automated security 

policy enforcement tools will do the job these days. 

Of course, having the world’s best security policy and an elegant automatic security 

system won’t protect you if a hacker could simply crack the security system itself. 

Your policy enforcer has to protect itself from tampering, too. 

Active Security is all of that: a secure system that you can train to automatically take 

any action your policy calls for whenever it finds any network security vulnerability 

that concerns you. It’s a technology that enables you to be far more diligent about 

cleaning up security holes as they arise because it’s more thorough than a person and 

faster than a person — once you’ve set it up for your network security policies, your 

administrator just runs a scan and Active Security does the rest. You can configure the 

system to automatically take care of some of the problems it may find — and if Active 

Security detects a problem it can’t handle on its own, it can alert the administrator via 

pager or email. 

Active Security is your network administrator’s most valuable weapon in the constant 

uphill battle of maintaining your network security. 



How Active Security Works 

The Active Security suite is built on the idea of three types of programs, all working 

together to protect your network: sensors, arbiters, andactors. 

• Sensors scan the network for security vulnerabilities. 

• Arbiters decide how best to deal with a security vulnerability when a vulnerability 

is detected. 

• Actors address the problem, as instructed by the arbiters. 

Sensors 

Arbiters 

Actors 

watch decide what take responsive 

the network to do when 

action 

for trouble trouble happens 

Figure 1-1. The Active Security suite program types, including sensors, 

arbiters, and actors. 

In Active Security suite, each of these jobs is handled by a separate software 

component. Currently, the Active Security family includes: 

• one sensor program, CyberCop Scanner, for Windows NT 

• one arbiter program, Event Orchestrator, for Windows NT 

• two actor programs, Gauntlet Firewall, for Windows NT and Unix 

In addition to delegating actions to external actor components, the arbiter program 

(Event Orchestrator) is able to take certain kinds of action on its own; for example, it 

can send out an email message about a vulnerability it’s been informed of, or run a 

custom Visual Basic script. 

Network Associates’ McAfee HelpDesk product (available separately) can also serve 

as an additional actor, and future releases of Active Security will include more sensors 

and actors. 

Because your network security policy must drive your security tools, everything that 

each of the Active Security components does is configurable. Indeed, you must 

configure each component to implement your particular policies before you can use 

Active Security. 

The figure below depicts how the Active Security integrated product suite works. 

1-4 Chapter 1


Your Security Policy 

(You decide what is important 

and how to respond) 

McAfee 

HelpDesk 

Gauntlet 

Firewall 

CyberCop 

Scanner 

(Proactively scanning 

internal network 

for vulnerabilities) 

Event Orchestrator 

(Accepts all alerts, compares 

with security policy, then 

initiates responses) 

Administrator 

alerts 

Figure 1-2. The Active Security suite. 

The above figure illustrates the following principles: 

• Your network security policy determines everything Active Security does. 

• Your network administrator runs one or more copies of CyberCop Scanner to 

examine your network for vulnerabilities. 

• One or more copies of Event Orchestrator listen to CyberCop Scanner and, when 

vulnerabilities are detected, automatically dispatch your custom predetermined 

responses — which may involve sending an alert to the administrator or running 

a Visual Basic script. 

• Some responses can be delegated to external actors, including Gauntlet Firewall 

and McAfee HelpDesk. 

The two remaining Active Security components, the Net Tools PKI Server and the 

Active Security Setup Panel, aren’t sensors, arbiters, or actors. Instead, they support 

the sensors, arbiters, and actor components by making it possible for them to 

communicate securely. 

IMPORTANT: The purpose of Active Security is to implement your network 

security policy. Do not activate any of the Active Security features until you 

have formulated a network security policy. 



Keeping Active Security Secure: Digital Certificates 

Because Active Security maintains your network security automatically, without 

human intervention, it’s vital to ensure that no malicious person can impersonate any 

Active Security component — if an attacker could send forged instructions to shut 

down parts of the system, or force your sensors to ignore certain vulnerabilities, the 

result could be devastating. Active Security guards against such attacks by strongly 

authenticating all of its communications with X.509 digital certificates. Every 

message sent between the Active Security components depends on these certificates. 

In fact, Active Security can’t start working until every component has received its own 

certificate. 

The NetTools PKI Server’s role in Active Security is to centrally manage the creation 

and distribution all of these digital certificates. 

The Active Security Setup Panel application’s role is to allow each sensor, arbiter, and 

actor component’s machine to interact with the PKI Server, for the purpose of creating 

a separate certificate for that separate machine (for your Windows NT computers only; 

getting a certificate for Gauntlet Firewall for UNIX works a little differently). 

1-6 Chapter 1

WheretoGoFromHere 


To learn more about Active Security, or to start using Active Security, please refer to 

the Active Security Getting Started Guide. The Getting Started Guide introduces the 

Active Security integrated family of products and explains how they interact. It 

describes the installation and configuration of the system at a high level, and provides 

a roadmap of how to go about setting up and rolling out the entire system. 

To learn more about using the products in the Active Security suite, refer to the 

documentation distributed with the products you are interested in. 



1-8 Chapter 1

2Installing CyberCop Scanner 

2 

Introduction 

This chapter includes step-by-step instructions for installing (and uninstalling) 

CyberCop Scanner. It also includes instructions for installing the CASL interpreter. 

The CASL interpreter lets you write your own programs in a text editor that simulate 

attacks or information gathering checks. 

The minimum system requirements that must be met to install and use the Security 

Management Interface and CyberCop Scanner are as follows: 

• Windows NT 4.0 with Service Pack 4.0 

• Internet Explorer 4.0 SP1 

• 266 MHz Pentium II processor 

• 128 MBofRAM 

• 200 MB of free disk space 

If your system does not meet the above-listed requirements, you must upgrade the 

system accordingly before installing CyberCop Scanner, which includes the Security 

Management Interface. 


Installing CyberCop Scanner 


This section gives step-by-step instructions for installing CyberCop Scanner and SMI 

on the local computer. These instructions assume that you will be installing CyberCop 

Scanner using the installation CD or installation files that you have downloaded from 

NAI's website. 

To install CyberCop Scanner, follow these steps: 

1. Double-click on the file setup.exe on the installation CD or in your downloaded 

installation files. Alternatively, if you are using the CD, from the Start menu 

select Start>Run D:\setup.exe, where "D:"representstheletterofyourCD-ROM 

drive. 

The Installation Wizard will check to make sure your operating system does not 

need to be updated. Required components include the following: 

• Windows NT Service Pack 4 

• Internet Explorer v.4.0 SP1 

If your computer does not have Windows NT Service Pack 4 or Internet Explorer 

v.4.0 SP1 installed, you will be prompted to exit the Installation Wizard and install 

them before continuing. You must install these components and then reboot your 

computer as necessary. Then restart the Installation Wizard. 

2. Next the CyberCop Scanner 5.5 screen will be displayed. Click the link for "Install 

CyberCop Scanner 5.5" to begin installing it on the local computer. 

3. Next a dialog box may open to inform you that system component updates are 

necessary to successfully install SMI. If you wish to continue the installation, 

click Update Now. The Installation Wizard will automatically perform the 

necessary updates. If your system components do not need to be updated, you will 

not see this dialog box. 

After the operating system has been updated, you will be prompted to restart your 

computer so that the new settings can take effect. To restart your computer now, 

click Yes. The Installation Wizard will automatically restart your computer. When 

you log on again, the installation will continue with the next step. 

4. Next a License Agreement dialog box will open. After reading the license 

agreement, enable the I Accept the Agreement button and then click Next to 

continue. 

5. The Installation Path dialog box will be displayed, allowing you to select a 

program group and destination directory for CyberCop Scanner and the Security 

Management Interface. By default, the program group Network Associates and 

the directory c:\Program Files\Network Associates\SMI Products\ are selected. 

2-2 Chapter 2


You may select a different program group if you wish. Click the Browse button to 

select a different directory. If the specified directory does not exist, you will be 

asked if you want to create it. The disk space requirements on your local computer 

will also be displayed. Click Next to continue. 

6. The Event Forwarding dialog box will be displayed, with information about 

enabling forwarding of security events and configuring network security alerts. 

NOTE: Event forwarding and network alerting are not supported in this release 

of CyberCop Scanner. 

Click Next to continue. On the next screen, you will be asked to specify a logon 

user account to be used by the service that controls event forwarding and network 

security alerts. Select "Use 'LocalSystem' account." Then click Next. 

7. The Installing SMI dialog box will be displayed. Click Install to continue. A 

status bar will report progress as files are installed on your computer. Then a 

series of screens will be displayed reporting installation activity, including: 

• Product Registration dialog box, reporting that the CyberCop Scanner 

installation kit is being registered and copied into the Repository 

• Installing Product dialog box, reporting that CyberCop Scanner is being 

installed for use. 

NOTE: If you have files from a previous version of CyberCop Scanner or a 

previous installation, the files will be removed to an alternate location: 

c:\Program Files\Network Associates\SMI Products\CyberCop 

Scanner\Backup\ with a time and date stamp. 

8. Then a dialog box will report "Installation finished successfully." Click OK to 

continue. 



NOTE: In order to improve performance, at the end of the installation CyberCop 

Scanner sets three Windows NT TCP/IP Registry keys listed below. These 

changes will be activated the next time the computer is rebooted. The following 

Registry keys are set: 

• HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\ 

Parameters\MaxFreeTcbs 

Value: 0xffffffff (4294967295) 


Parameters\MaxHashTableSize 

Value: 0x00010000 (65536) 


Parameters\MaxUserPort 

Value: 0x00010000 (65536) 

Installation of CyberCop Scanner and the Security Management Interface is now 

complete. CyberCop Scanner is ready for use. 

9. To start CyberCop Scanner, from the Start menu select 

Start>Programs>CyberCop Scanner>CyberCop Scanner. 

10. To access the report viewer of the Security Management Interface, from within 

CyberCop Scanner, select the Reports>View Results... menu item. 

2-4 Chapter 2


Installing the CASL Interpreter 

CASL (custom audit scripting language) is a high-level programming language 

designed to write programs, often called scripts, that simulate low-level attacks or 

information gathering checks on networks. 

To write programs that simulate an attack or information gathering check, you need to 

write code that constructs packets and then sends those packets to a host on a network 

just as an actual attack or information gathering check would. You can execute the 

programs you create in CASL to determine if a network is vulnerable to the attack or 

the information gathering check simulated by the programs. 

To use CASL, you must install the interpreter. To install the CASL interpreter, follow 

these steps: 

1. On the Windows desktop, right- click on the My Computer icon and select 

Properties from the context menu. The System Properties dialog box will open. 

Alternatively, in the Windows Explorer, right-click on My Computer and select 

Properties from the context menu. 

2. In the System Properties dialog box, switch to the Environment tab. 

3. In the Variable textbox, enter CASL_DIR in the Variable textbox. Then, in the 

Value textbox enter c:\Program Files\Network Associates\ SMI 

Products\CyberCop Scanner\casl\. 

4. Click the OK button to close the dialog box. 

The CASL interpreter is now installed on your system. 



Uninstalling CyberCop Scanner 

To uninstall CyberCop Scanner and the Security Management Interface from your 

local computer, follow these steps: 

1. If the SMI console window is open, close it by clicking the close button at the top 

right of the screen. Also exit CyberCop Scanner if it is open. 

2. Open the Control Panel from the Start menu by selecting Start>Settings>Control 

Panel. 

3. In the Control Panel, double-click Add/Remove Programs to open the 

Add/Remove Programs Properties dialog box. 

In the Add/Remove Programs Properties dialog box, follow these steps to remove 

both CyberCop Scanner and the Security Management Interface: 

• Onthe Install/Uninstall tab, scroll through the list of programs and select 

Security Management Interface to highlight it. Then click the Add/Remove 

button. 

The Product Uninstaller screen will open, displaying both CyberCop Scanner 

for SMI and Security Management Interface 1.0. 

• Select CyberCop Scanner for SMI to highlight it. Then click Next. 

The CyberCop Scanner for SMI screen will be displayed. Click the Uninstall 

button. A status bar will display progress as files are uninstalled. Then a 

dialog box will open reporting "Uninstallation succeeded." Click OK. 

• Next, on the Product Uninstaller screen, select Security Management 

Interface 1.0 to highlight it. Then click Next. 

The Security Management Interface 1.0 screen will be displayed. Click the 

Uninstall button. A status bar will display progress as files are uninstalled. 

Then a dialog box will open reporting "Uninstallation succeeded." Click OK. 

• You will be asked if you want to restart your computer now. Click Yes. 

Your computer will automatically be restarted. The Security Management Interface 

and CyberCop Scanner are now uninstalled from your computer. 

2-6 Chapter 2



This chapter included step-by-step instructions for installing CyberCop Scanner, 

including the CASL interpreter. It also included instructions for uninstalling CyberCop 

Scanner in case you need to remove it from your system. At this point, you are ready 

to use CyberCop Scanner. You can begin with the tutorial chapters, starting with 

Chapter 3. Chapter 3 leads you through configuring the software and performing a 

scan. 



2-8 Chapter 2

3Getting Started: 

Performing a Scan 

Introduction 

3 

This chapter teaches you about the procedures required to perform a scan. In this 

chapter, you will learn the following: 

• how to start CyberCop Scanner, which includes the Security Management 

Interface 

• how to use the default configuration file and how to create a new configuration file 

• how to create a scan settings template and module configuration template and use 

them in a configuration file 

• how to select which modules and module classes are used for a scan 

• how to start and stop a network probe 

• how to start and stop a scan 

• how to scan multiple hosts by entering an IP address range or by using a host text 

file 

• how to use Fix It modules 

This chapter is the first of several tutorial chapters that will guide you through the 

CyberCop Scanner software. This chapter gives you the background you need to 

perform a scan. In the next chapter, Chapter 4, you will learn how to view scan results 

and generate scan reports. 


Getting Started: Performing a Scan 

About CyberCop Scanner 

CyberCop Scanner includes sophisticated tools for performing scans against intranets, 

Web servers, firewalls, and screening routers to identify security vulnerabilities in 

networks. CyberCop Scanner works by running modules against a target system. 

Modules are pieces of code that either check for vulnerabilities on the target system or 

attempt to exploit the vulnerabilities of the target system. 

Modules are grouped into module classes according to their function. For instance, 

some module classes gather information about the assumptions intruders might make 

about a computer that would allow them access to your network. Other module classes 

run tests against a target host to determine whether vulnerable hardware or software is 

present on the machine. 

CyberCop Scanner includes operating system detection which can identify the 

operating system types of hosts on a network. Once operating system types are 

identified, CyberCop Scanner can optionally disable modules not pertaining to 

specified operating systems when scanning hosts. 

Certain modules, called "Fix It" modules, are used in conjunction with Windows NT 

Registry checks. Fix It modules can be enabled to change a Registry value in order to 

correct potential vulnerabilities detected by CyberCop Scanner. Still other modules 

initiate hostile Denial of Service attacks, which look for vulnerabilities that can only 

be detected properly if an attack is actually launched against a target host. 

There are over 600 modules in the CyberCop Scanner vulnerability database. 

Additional modules can be added to the vulnerability database via Network Associates 

module updates. Or, you can add your own modules to the vulnerability database via 

the Vulnerability Database Editor. CyberCop Scanner uses modules in the 

vulnerability database when it performs a scan against a target. Modules for which a 

target is found vulnerable will return data. 

CyberCop Scanner makes use of the Network Associates Security Management 

Interface (SMI), a built-in application framework which provides a centralized event 

database for storing CyberCop Scanner security results. SMI also provides a report 

viewer which allows you to query the database, preview data, and generate reports. 

To display the version of CyberCop Scanner installed on your system, select the 

Help>About ScannerUI... menu item. 

3-2 Chapter 3


About the Security Management Interface (SMI) 

The Network Associates Security Management Interface (SMI) is the built-in 

application framework for NAI security applications such as CyberCop Scanner. SMI 

provides a single console window, called the SMI console window, with a centralized 

event database where CyberCop Scanner security results are stored. The SMI report 

viewer allows you to view data and query the event database, and to generate, preview, 

print, and export sophisticated graphical and text-based reports using over ten 

pre-defined report templates. 

The foundation for SMI is the Microsoft Management Console (MMC). MMC is a user 

interface which allows multiple programs to be accessed and run from a single console 

window. 

NOTE: Different NAI security applications use different features of SMI. 

CyberCop Scanner uses the centralized event database and report viewer of SMI. 

CyberCop Scanner does not support remote installation, remote management, 

event forwarding or network alerting. 



Quick Tour of the SMI Console 

To start the SMI console, use one of the following methods: 

• From the Windows Start menu, choose Start>Programs>Network 

Associates>Security Management Interface. The SMI console window will open. 

• Alternatively, from within CyberCop Scanner, select the Reports>View 

Results... menu item to open the SMI report viewer. A dialog box will open 

allowing you to select a pre-existing event database. Select an event database and 

then click Open. The SMI console will open, displaying the SMI report viewer. 

Click the Show/Hide Console Tree toolbar icon to display the full SMI console 

window. 

In the left pane of the SMI console window, you will see the SMI console tree. The 

top-level node of the SMI console tree is called the Workspace node. Under the 

Workspace node are several nodes which represent the SMI configuration of the local 

computer. 

You will see the following components of the SMI console window: 

• Services node: Provides access to the SMI report viewer for viewing security 

results and generating reports. 

• Repository node: Stores installation kits and report templates used by CyberCop 

Scanner. You do not need to access the Repository node when using CyberCop 

Scanner. 

• Local Computer node: Allows you to configure the event database where 

CyberCop Scanner security results are stored. 

• Report Viewer: WhenyouclickontheWorkspace>Services>Event Database 

(events.mdb)>CyberCop Scanner node, the right pane of the SMI console 

displays screen controls for the SMI report viewer. 

3-4 Chapter 3

The Services Node 


The Workspace node of the SMI console tree includes a node called Services.The 

Services node provides access to the SMI report viewer, allowing you to view results 

in the centralized database where CyberCop Scanner security results are stored. This 

centralized database is called an event database, because it stores a record of each 

security event, or vulnerability, logged by CyberCop Scanner. 

By default, the local event database is called events.mdb and it is located at 

c:\Program Files\Network Associates\SMI Products\SMI\Shared\EventDB. It is 

represented on the SMI console tree by a node called Event Database (events.mdb) 

listed under the Services node. 

NOTE: You can also access the SMI report viewer from within CyberCop 

Scanner, by selecting the Reports>View Results... menu item. 

The Repository Node 

The SMI console tree includes a node called the Repository. The Repository is 

necessary for registering product installation kits for NAI security applications. When 

the installation kit for an NAI security application is registered in the Repository, it is 

listed as a reference node under the Repository. 

When you click on the CyberCop Scanner node under the Repository, the node 

expands to list the version numbers of the SMI and CyberCop Scanner installation kits. 

AgentInfo, an SMI utility program, is also listed as a node under the Repository. 

WhenyouclickontheWorkspace>Repository>CyberCop 

Scanner>1.0-5.5.0>Reports node, the node expands to list the report templates 

installedwithCyberCopScanner. 

NOTE: You do not need to access the Repository when you use CyberCop 

Scanner. The Repository is used by certain NAI security applications to perform 

remote installations. CyberCop Scanner does not support remote installation or 

remote management. 



The Local Computer Node 

The Local Computer node is labeled with the host name of your local computer. Under 

the Local Computer node, you will see the AgentInfo node, indicating that AgentInfo, 

an SMI utility program, is installed on your local computer. AgentInfo allows you to 

configure the event database where CyberCop Scanner security results are stored. 

Using AgentInfo, you can select the location of the local event database where 

CyberCop Scanner security results (vulnerabilities) are stored. By default, the local 

event database is called events.mdb and it is located at c:\Program Files\Network 

Associates\SMI Products\SMI\Shared\EventDB. AgentInfo also allows you to specify 

which event database is used to generate reports of CyberCop Scanner results. 

NOTE: You can also select an event database for storing security results and 

specify which event database is used to generate reports from within CyberCop 

Scanner. 

The Report Viewer (Right Pane of the SMI Console) 

When you click on any node on the SMI console tree, the right pane of the SMI console 

window displays information or screen controls related to that node. 

WhenyouclickontheWorkspace>Services>Event Database 

(events.mdb)>CyberCop Scanner node, the right pane of the SMI console window 

displays the SMI report viewer. Menu commands, tabs, and toolbar icons specific to 

the report viewer are also displayed. 

The report viewer allows you to view CyberCop Scanner security results and generate 

a variety of graphical and text-based reports using pre-defined report templates. 

3-6 Chapter 3


Loading Configuration Files 

This section describes the information contained in a scan configuration file and 

introduces the Setup Walkthrough program of CyberCop Scanner. It also explains how 

you can create scan settings templates and module configuration templates to store 

collections of desired scan settings and module settings which can be used when you 

create a configuration file. 

About Configuration Files 

In order to perform a scan of hosts on your network, you must first set up a scan 

configuration file. A scan configuration file stores the following scan information: 

• scan settings, such as host range to scan, operating system identification, scan 

engine options, and policy options 

• module settings, a preselected set of module classes and modules to run against 

the target host(s) 

• application settings, such as system file locations, as well as settings to display and 

report scan messages 

CyberCop Scanner includes a default scan configuration file, scanner.ini. The default 

configuration file includes a default selection of scan settings, module settings, and 

application settings that you can use to perform a scan. When you start CyberCop 

Scanner for the first time, a Setup Walkthrough program guides you through loading 

the default configuration file. The Setup Walkthrough program can also be used to 

create new configuration files. 

Scan configuration files are saved with the file extension .ini. By default, they are 

stored in c:\Program Files\Network Associates\SMI Products\CyberCop Scanner, 

unless you specify otherwise. 

CyberCop Scanner also includes templates which you can use to store collections of 

desired scan settings and module settings: 

• Scan settings can be saved in a scan settings template, with the file extension 

.scn. 

• Module settings can be saved in a module configuration template with the file 

extension .mod. 

You can use these templates when you create new scan configuration files, to avoid 

having to configure settings individually. By default, templates are stored in 

c:\Program Files\Network Associates\SMI Products\CyberCop Scanner\templates, 




CyberCop Scanner also includes a file scan.ini as an example scan configuration file 

to be used only for scans run from the command line. This example file is stored in 

c:\Program Files\Network Associates\SMI Products\CyberCop Scanner. In order to 

run scans from the command line, you must first make a copy of the example file and 

then edit the file to modify the scan settings and enable the modules you wish to use. 

Once a scan configuration file is loaded, you can view the selected scan settings and 

module settings on the Current Configuration tab. The Current Configuration tab 

lists the currently selected scan settings and module settings, in addition to the current 

settings of variables associated with modules in the Vulnerability Database. 

3-8 Chapter 3


About the Setup Walkthrough Program 

When you start CyberCop Scanner for the first time, you will be prompted to create a 

startup scan configuration file. A Setup Walkthrough program will guide you 

through loading the default configuration file scanner.ini, allowing you to enter 

parameters specific to the network(s) that you will be scanning. 

You can also open the Setup Walkthrough program by selecting the File>New Config 

File... menu item. Alternatively, click the New toolbar icon. 

The Setup Walkthrough program will prompt you to specify the following information 

before you can use the default configuration file: 

• DNS domain name of the target network 

• NIS domain name of the target network 

• fake DNS server name 

• IP range to scan 

• module configuration template to use 

• scan settings template to use 

To view additional instructions for entering this information: Place the cursor in 

one of the textboxes. An explanation will be displayed in the NOTES section of the 

dialog box. Additional information is provided below. 

DNS and NIS Domain Names 

CyberCop Scanner will attempt to locate the DNS and NIS domain names in the 

Windows NT Registry. If CyberCop Scanner is unable to locate this information, these 

fields will be blank. You should enter the domain names of the target network, 

otherwise certain modules which depend on this information will not perform 

properly. 



Fake DNS Server Name 

A number of CyberCop Scanner modules test the security of a DNS server. For internet 

connected systems, this requires having a fake DNS server to pass vulnerability 

information back to CyberCop Scanner. If your internal DNS system contains 

sensitive information, we recommend that you set up your own fake DNS server on 

your network. Otherwise, your information will be transmitted to the default DNS 

server, which is NAI’s fake DNS server. You have three options: 

• you can use the internet-connected NAI DNS fake servers 

• you can install an NAI fake server on your network 

• you can disable DNS checks (module class 17000 Domain Name System and 

BIND) 

If you wish to use your own fake server, instructions for installing and configuring the 

NAI DNS fake server on a network are included in the document displayed in the 

NOTES section of the Setup Walkthrough dialog box. To view this document, place 

the cursor in the Fake DNS Server Name textbox. The document is also available as a 

text file dns.txt included with your software distribution. 

NOTE: If you use the internet-connected NAI DNS fake servers, do not change 

the default entry in the Setup Walkthrough. Otherwise, the DNS checks will not 

work. 

IP Range to Scan 

By default, the Local Host is entered for the IP range to scan. You can enter a different 

host or range of hosts if you wish. For examples of how to enter an IP range, place the 

cursor in the IP Range to Scan textbox. Examples will be displayed in the NOTES 

section below the textbox. 

3-10 Chapter 3


Module Configuration Template 

A module configuration template contains a preselected set of module classes and 

modules to run for a scan. In the Setup Walkthrough program, you will be asked to 

select one of the module configuration templates listed below: 

• Default 

• All Modules 

• CASL checks 

• Denial of Service 

• DNS checks 

• FTP checks 

• HTTP checks 

• Information checks 

• NT Policy checks 

• Password Grinding 

• Port Scanning 

• SMTP checks 

• Unix checks 

• Windows checks 

The Default template has the following modules disabled: module class 8000 (Denial 

of Service Attacks), module class 9000 (Password Guessing/Grinding), and certain 

modules in other module classes which are considered dangerous because they could 

cause machines to crash, for example certain port scanning modules. 

The All Modules template enables all modules including Denial of Service Attacks 

and other modules considered dangerous. The other module templates can be used to 

perform various types of scans. 

NOTE: Important! The module class named Denial of Service Attacks is 

disabled in the Default template. We recommend that you do not perform Denial 

of Service checks on your network for this tutorial. In order to check for these 

vulnerabilities, an actual hostile attack must be performed against a computer. 

Denial of Service Attacks can have undesirable effects, including network 

congestion, computer instability, crashes, and reboots. 

NOTE: Enabling password grinding functions can result in account lockout(s) 

for systems with password grinding protection enabled. 

Scan Settings Template 

Finally, you will be asked to select a scan settings template. A scan settings template 

contains a set of scan parameters that will be used for a scan. A default scan settings 

template labeled Default is provided. 



Using the Default Configuration File 

When you start CyberCop Scanner for the first time, the Setup Walkthrough program 

will guide you through loading the default configuration file scanner.ini. You will be 

prompted to enter parameters specific to the network(s) that you will be scanning. 

To use the default configuration file, follow these steps: 

1. When you open CyberCop Scanner for the first time after installation, a dialog box 

asks if you wish to create a startup configuration file. Click Yes. The Setup 

Walkthrough program will open, with scanner.ini listed in the Scan 

Configuration File Name textbox. 

Then click Next. 

2. Next you will be prompted to enter the following information: 

• the DNS domain name of the target network 

• the NIS domain name of the target network 

• the fake DNS server name 

• the IP range to scan 

Enter this information in the textboxes provided. You should not leave these 

textboxes blank, otherwise certain modules which depend on this information will 

not work properly. 

NOTE: For an explanation of the above information, see the section, “About the 

Setup Walkthrough Program,” earlier in this chapter. You can also view 

instructions for entering this information by placing the cursor in one of the 

textboxes. An explanation will be displayed in the NOTES section of the Setup 

Walkthrough dialog box 

Click Next to continue. 

3. Next you must select a module configuration template. To use the default module 

configuration template, select Default to highlight it. 








3-12 Chapter 3


4. Next you must select a scan settings template. To use the default scan settings 

template, select Default to highlight it. 

5. Click Finish to exit the Setup Walkthrough program. 

The Setup Walkthrough will be closed and the Scan menu will be enabled, allowing 

you to begin a scan. The name of the currently loaded scan configuration file 

(scanner.ini) will be displayed in the CyberCop Scanner title bar. 

You can view your selected scan settings using the Configure>Scan Settings... menu 

item. You can view the selected modules using the Configure>Module Settings... 

menu item. You can also view selected scan settings and module settings by switching 

to the Current Configuration tab of CyberCop Scanner. The Current Configuration 

tab also lists the current settings of variables associated with modules in the 

Vulnerability Database. 



Setting Up a New Configuration File 

This section gives step-by-step instructions for creating a new scan configuration file. 

You will learn how to select and deselect modules and module classes for a scan. You 

will also learn how to create a scan settings template and a module configuration 

template. 

Creating a New Configuration File 

If you do not want to use the default configuration file, you can create a new 

configuration file. You can do this in two ways: 

• by selecting the File>New Config File... menu item. This option opens the Setup 

Walkthrough program, allowing you to select and/or edit a scan settings template 

and a module configuration template. Alternatively, click the New toolbar icon. 

• byusingtheConfigure menu to select the desired scan settings, module settings, 

and application settings. Then you can save these settings as a new configuration 

file by selecting the File>Save Config As... menu item. 

To create a new configuration file using the Setup Walkthrough program, follow these 

steps: 

1. Select the File>New Config File... menu item. The Setup Walkthrough program 

will open. Alternatively, click the New toolbar icon. 

2. In the Scan Configuration File Name textbox, enter a name for the new 

configuration file. You do not need to add the file extension .ini. It will be added 

automatically. 

By default, the file will be stored in c:\Program Files\Network Associates\SMI 

Products\CyberCop Scanner. To save the file in another location, click the Save 

As button to browse for a different directory or drive. 


3. Next you will be prompted to enter the following information: 

• the DNS domain name of the target network 

• the NIS domain name of the target network 

• the fake DNS server name 

• the IP range to scan 

Enter this information in the textboxes provided. You should not leave these 

textboxes blank, otherwise certain modules which depend on this information will 

not work properly. 

3-14 Chapter 3


NOTE: For an explanation of the above information, see the section, “About the 

Setup Walkthrough Program,” earlier in this chapter. You can also view 

instructions for entering this information by placing the cursor in one of the 

textboxes. An explanation will be displayed in the NOTES section of the Setup 

Walkthrough dialog box 


4. Next you must select a module configuration template. CyberCop Scanner 

includes several predefined module configuration templates which you can use to 

perform various types of scans. 

You have three options: select an existing template, edit an existing template, or 

create a new template. To learn more about selecting a module configuration 

template, see the section, “Creating and Editing Module Configuration 

Templates,” later in this chapter. 








5. Next you must select a scan settings template. You have three options: select an 

existing template, edit an existing template, or create a new template. To learn 

more about selecting a scan settings template, see the section, “Creating and 

Editing Scan Settings Templates,” later in this chapter. 


6. Click Finish to exit the Setup Walkthrough program. 

The new scan configuration file will be saved and loaded, ready to be used for the next 

scan. The Setup Walkthrough program will then close. The name of the new scan 

configuration file will be displayed in the CyberCop Scanner title bar. 

You can view your selected scan settings using the Configure>Scan Settings... menu 

item. You can view the selected modules using the Configure>Module Settings... 

menu item. You can also view selected scan settings and module settings by switching 

to the Current Configuration tab of CyberCop Scanner. The Current Configuration 

tab also lists the current settings of variables associated with modules in the 




Selecting and Deselecting Modules 

After loading a scan configuration file, you can change the module configuration by 

selecting or deselecting modules and module classes. To do this, you open the Module 

Configuration dialog box by choosing the Configure>Module Settings... menu item. 

The Module Configuration dialog box allows you to do the following: 

• view currently selected modules 

• view detailed descriptions of individual modules 

• select and deselect modules and module classes by (1) enabling and disabling 

checkboxes, (2) by using the dialog box buttons, or (3) by using context menus 

that are opened by right-clicking 

• select either vulnerability modules, which check for vulnerabilities, or CASL 

modules, which run CASL firewall filter checks 

• save changes as a new module configuration template to use in other scan 

configuration files 

• save changes to the scan configuration file 

Viewing Currently Selected Modules 

The Module Configuration dialog box displays two listboxes which allow you to view 

currently selected module classes and modules. 

• The Module Groups listbox displays the module classes available in the 

Vulnerability Database. The module class number (ID) and name are listed. A 

checkmark indicates that a module class has been enabled. To view the modules 

in a particular module class, click on a module class in the Module Groups listbox 

to highlight it. 

• The Module Selection listbox displays the modules available within a particular 

module class. The module number (ID) and name are listed. A checkmark 

indicates that a module has been selected for a scan. 

You can scroll through the listboxes to view which module classes and modules have 

been enabled. You can expand the width of one listbox relative to the other by dragging 

the vertical bar that separates them. 

Viewing a Module Description 

To view a detailed description of a module, do the following: 

1. First click on the module class to which the module belongs to highlight it. The 

Module Selection listbox on the right will display a list of the modules that belong 

to the highlighted module class. 

3-16 Chapter 3


2. Next, in the Module Selection listbox, click on a module to highlight it. A 

description of the module will be displayed below the listbox in the Module 

Description box. 

NOTE: You can also view module descriptions for all modules in the 

Vulnerability Database by using the Vulnerability Guide, which is included in 

the report viewer. To view the Vulnerability Guide, select the Reports>View 

Results... menu item. The report viewer will open, listing available report 

templates. At the bottom of the list, double click on Vulnerability Guide. An 

indexed tree view of module numbers will be displayed. Click on a module 

number to display a description. 

Selecting and Deselecting Modules 

To select and deselect modules for a scan, try the following methods: 

1. In the Module Groups listbox, click on a checkbox to either enable the module 

class (checkmark in box) or disable it (no checkmark in box). 

Then, in the Module Selection listbox, click on an individual module checkbox to 

either enable it (checkmark in box) or disable it (no checkmark in box). 

NOTE: The module class to which a module belongs must be selected first, 

before you can select an individual module for a scan. 

2. Use the Module Configuration dialog box buttons: 

• Select Default 

• Unselect Dangerous 

• Select All/Unselect All 

NOTE: Important! The Select All button enables module class 8000 (Denial of 

Service Attacks) and other modules considered dangerous which are indicated 

by a red warning sign. We recommend that you do not perform Denial of Service 

checks on your network for this tutorial. In order to check for these 




NOTE: Enabling password grinding functions can result in account lockout(s) 

for systems with password grinding protection enabled. 



• Select Group/Unselect Group 

• Copy From 

For a description of these buttons, refer to CyberCop Scanner Help, online help 

for CyberCop Scanner. 

3. Use the context menus. To open a context menu, right-click on either the Module 

Groups listbox or the Module Selection listbox. The context menus include menu 

commands similar to the dialog buttons listed above. 

Selecting CASL Modules or Vulnerability Modules 

CyberCop Scanner includes firewall filter checks which can be used to test intrusion 

detection software. The CASL firewall filter checks include the modules in module 

class 12000 (Packet Filter Verification Tests). 

1. To enable the CASL modules, click the Scan Type>CASL Modules radio button. 

Module class 12000 will be listed in the Module Groups listbox, allowing you to 

select individual CASL modules for a firewall filter check. 

2. To disable the CASL modules and return to the modules which perform 

vulnerability checks, click the Scan Type>Vulnerability radio button. All the 

available module classes except module class 12000 will be listed in the Module 

Groups listbox. 

NOTE: The Vulnerability module classes do not use all available module class 

numbers. Some module class numbers are skipped. 

Saving Changes as a Module Configuration Template 

To save changes as a new module configuration template, do the following: 

1. Enable the Save As Template checkbox. 

2. Enter a name for the template in the textbox. The file extension .mod will be 

added automatically. By default, the template will be saved in c:\Program 

Files\Network Associates\SMI Products\CyberCop Scanner\templates. 

Saving Changes to the Scan Configuration File 

To save changes to the currently loaded scan configuration file, do the following: 

1. Click the OK button. The changes will be saved and the Module Configuration 

dialog box will close. 

2. To cancel changes, click the Cancel button. The Module Configuration dialog box 

will close. 

3-18 Chapter 3


Creating and Editing Scan Settings Templates 

You can create and edit scan settings templates to store collections of desired scan 

settings. You can use these templates when you create new scan configuration files, to 

avoid having to configure settings individually. You can also delete templates. 

Scan settings templates have the file extension .scn. By default, templates are stored 

in c:\Program Files\Network Associates\SMI Products\CyberCop Scanner\templates, 


To configure a scan settings template, follow the steps below. 

Creating a New Template 

To create a new template, do the following: 

1. Select the Configure>Scan Settings... menu item. The CyberCop Scanner Setup 

dialog box will open, displaying tabs that allow you to configure scan settings. 

2. Select the desired scan settings by switching between tabs and using the screen 

controls. For more information on scan settings, refer to CyberCop Scanner Help, 

online help for CyberCop Scanner, accessible by selecting the Help>Help 

Topics... menu item. 

3. On the Scan Settings tab, enable the Save As Template checkbox. Enter a name 

for the template in the textbox. You do not need to enter the file extension .scn. 

4. Click OK to close the dialog box and save the template. 

Alternatively, you can create a new template using the Setup Walkthrough program, 

as described below. 

The next time you create a new scan configuration file using the Setup Walkthrough 

program, the new template will be listed for you to select. 

Editing an Existing Template 

To edit an existing template, do the following: 

1. Open the Setup Walkthrough program by selecting the File>New Config File... 

menu item. Alternatively, click the New toolbar icon. The Setup Walkthrough 

dialog box will open. 

2. Enter a name in the Scan Configuration File Name textbox. Then click Next until 

the Scan Settings Templates listbox is displayed, listing available templates. 

3. Click on a template to highlight it, then click the Edit button to make changes. 

Alternatively, click the New button to create a new template. 



The Edit CyberCop Scanner Template dialog box will open, allowing you to select 

desired scan settings. For more information on scan settings, refer to CyberCop 

Scanner Help, online help for CyberCop Scanner, accessible by selecting the 

Help>Help Topics... menu item. 

NOTE: You cannot edit the default template. Therefore, you must save the 

edited template under a new name. 

4. After selecting scan settings, click OK to close the Edit CyberCop Scanner 

Template dialog box and save the template. 

You can use the edited template in the current scan configuration file by continuing the 

Setup Walkthrough program, or you can use it in a new scan configuration file. 

Deleting a Template 

To delete a template, do the following: 





the Scan Settings Templates listbox is displayed, listing available templates. 

3. Click on a template to highlight it, then click the Delete button to delete the 

template. 

The deleted template will be deleted from your CyberCop Scanner files and removed 

from the listbox. 

3-20 Chapter 3


Creating and Editing Module Configuration Templates 

You can create and edit module configuration templates to store selected modules and 

module classes. You can use these templates when you create new scan configuration 

files, to avoid having to configure settings individually. You can also delete templates. 

Module configuration templates have the file extension .mod. By default, templates 

are stored in c:\Program Files\Network Associates\SMI Products\CyberCop 

Scanner\templates, unless you specify otherwise. 

To configure a module configuration template, follow the steps below. 

Creating a New Template 

To create a new template, do the following: 

1. Select the Configure>Module Settings... menu item. The Module Configuration 

dialog box will open, allowing you to select and deselect modules and module 

classes. For more information on module settings, refer to CyberCop Scanner 

Help, online help for CyberCop Scanner, accessible by selecting the Help>Help 

Topics... menu item. 

2. Enable the Save As Template checkbox. Enter a name for the template in the 

textbox. You do not need to enter the file extension .mod. 

3. Click OK to close the dialog box and save the template. 

Alternatively, you can create a new template using the Setup Walkthrough program, 

as described below. 

The next time you create a new scan configuration file using the Setup Walkthrough 

program, the new template will be listed for you to select. 



Editing an Existing Template 

CyberCop Scanner includes several predefined module configuration templates which 

you can use to perform various types of scans, including the following: 

• Default 

• All Modules 

• CASL checks 

• Denial of Service 

• DNS checks 

• FTP checks 

• HTTP checks 

• Information checks 

• NT Policy checks 

• Password Grinding 

• Port Scanning 

• SMTP checks 

• Unix checks 

• Windows checks 

To edit an existing template, do the following: 





the Module Configuration Templates listbox is displayed, listing available 

templates. 

3. Click on a template to highlight it, then click the Edit button to make changes. 

Alternatively, click the New button to create a new template. 

The Module Configuration dialog box will open, allowing you to select and 

deselect modules and module classes. For more information on module settings, 

refer to CyberCop Scanner Help, online help for CyberCop Scanner, accessible by 

selecting the Help>Help Topics... menu item. 

NOTE: You cannot edit the predefined templates included with CyberCop 

Scanner. Therefore, you must save the edited template under a new name. 

4. After selecting desired settings, click OK to close the Module Configuration 

dialog box and save the template. 

You can use the edited template in the current scan configuration file by continuing the 

Setup Walkthrough program, or you can use it in a new scan configuration file. 

3-22 Chapter 3


Deleting a Template 

To delete a template, do the following: 





the Module Configuration Templates listbox is displayed, listing available 

templates. 

3. Click on a template to highlight it, then click the Delete button to delete the 

template. 

The deleted template will be deleted from your CyberCop Scanner files and removed 

from the listbox. 



Loading an Existing Configuration File 

If you have previously created a scan configuration file, you can load it to use for the 

next scan. 

To load an existing scan configuration file, do the following: 

1. Select the File>Open Config File... menu item. Alternatively, click the Open 

button on the Toolbar. The Open dialog box will be displayed. 

2. Select the drive and the directory where the scan configuration file (.ini)youwish 

to use is located. By default, scan configuration files are located in c:\Program 

Files\Network Associates\SMI Products\CyberCop Scanner. 

3. Enter or select the name of the scan configuration file. Then click OK to close the 

dialog box. 

Once the scan configuration file is loaded, you can view your selected scan settings 

using the Configure>Scan Settings... menu item. You can view the selected modules 

using the Configure>Module Settings... menu item. You can also view selected scan 

settings and module settings by switching to the Current Configuration tab of 


3-24 Chapter 3


Probing for Responsive Hosts 

You can use the probe feature of CyberCop Scanner to detect responsive hosts on a 

network without scanning them for vulnerabilities. You can use this feature to generate 

a network map and to troubleshoot hosts. The probe will be performed on the hosts 

specified in the currently loaded configuration file. 

For each host, probing does the following: 

• identifies if the host is responsive 

• determines the operating system type 

• performs a trace route to generate a network map 

Results during a probe can be viewed on the Scan Progress tab. The Scan Progress tab 

will list hosts that are found to be responsive. It will also list their operating system 

type, if identification of the operating system type is enabled. In addition, it will list 

unresponsive hosts that have been skipped, if displaying messages for hosts that have 

been skipped is enabled. 

Probe also runs module no. 1041 (Trace Route to Host). The results of the trace route 

are then saved to a .map file, if saving results to a map file is enabled. You can use the 

results to generate a network map using the Reports>Network Map... menu item. 

NOTE: To enable displaying messages for unresponsive hosts that have been 

skipped, select the Configure>Applications Settings... menu item. The 

Application Settings dialog box will open. In the Main Screen Display Attributes 

section of the dialog box, enable the Display Hosts Skipped Messages checkbox. 

To enable identification of the operating system type for responsive hosts, select 

the Configure>Scan Settings... menu item. The CyberCop Scanner Setup dialog 

box will open. Switch to the Scan Options tab and put a checkmark in the Enable 

Operating System Identification checkbox. This checkbox is enabled by default. 

To enable saving results of a probe to a .map file, select the Configure>Scan 

Settings... menu item. The CyberCop Scanner Setup dialog box will open. 

Switch to the Scan Options tab. Enable the Host Information File checkbox and 

specify a name for the network map file that will be generated. By default, the 

checkbox is enabled and the filename results.map is specified. 



Starting a Probe 

Stopping a Probe 

To start a probe, do the following: 

1. Load the scan configuration file you wish to use. The probe will be performed on 

hosts specified in the currently loaded scan configuration file. 

2. If you wish to list unresponsive hosts that have been skipped, identify the 

operating system type, and also generate a network map, make sure the following 

scan settings and application settings are enabled: 

• To enable displaying messages for unresponsive hosts that have been 

skipped, select the Configure>Applications Settings... menu item. The 

Application Settings dialog box will open. In the Main Screen Display 

Attributes section of the dialog box, enable the Display Hosts Skipped 

Messages checkbox. 

• To enable identification of the operating system type for responsive hosts, 

select the Configure>Scan Settings... menu item. The CyberCop Scanner 

Setup dialog box will open. Switch to the Scan Options tab and put a 

checkmark in the Enable Operating System Identification checkbox. This 

checkbox is enabled by default. 

• To enable saving results of a probe to a .map file, select the Configure>Scan 


Switch to the Scan Options tab. Enable the Host Information File checkbox 

and specify a name for the network map file that will be generated. By 

default, the checkbox is enabled and the filename results.map is specified. 

3. Select the Scan>Begin Probe menu item to start the probe. Alternatively, click 

the Begin Probe toolbar icon. 

The probe will begin. Results during the probe will be displayed on the Scan Progress 

tab of CyberCop Scanner. 

To stop a probe, do the following: 

Select the Scan>Cancel Scan... menu item. Alternatively, click the Cancel Scan 

toolbar icon. The probe will be stopped. 

Results of the incomplete probe will be displayed on the Scan Progress tab. 

3-26 Chapter 3


Scanning a Host 

Starting a Scan 

This section gives step-by-step procedures for starting and stopping a scan. You will 

also learn how to view currently running modules and view results during a scan. 

After you load a scan configuration file, you can start a scan. The scan will be 

performed on the hosts specified in the current scan configuration file, using the 

pre-selected modules and module classes. 

Scan results will be saved in the event database specified in the current configuration 

file. By default, the local event database events.mdb located at c:\Program 

Files\Network Associates\SMI Products\SMI\Shared\EventDB is used, unless you 

specified otherwise. 

To start a scan, do the following: 

1. If you wish to specify an event database other than the one specified in the current 

scan configuration file for storing scan results, follow these steps: 

• Select the Configure>Scan Settings... menu item. The CyberCop Scanner 

Setup dialog box will open. 

• On the Scan Settings tab, in the Scan Results Output Database textbox, enter 

the name and location of the event database you wish to use to store results. 

Alternatively, click the Browse button to select an event database. 

2. If you wish to identify the operating system type of hosts during a scan, you can 

do the following: 

• To identify the operating system type, select the Configure>Scan Settings... 

menu item. The CyberCop Scanner Setup dialog box will open. Switch to the 

Scan Options tab and put a checkmark in the Enable Operating System 

Identification checkbox. This checkbox is enabled by default. 

• If you wish to disable modules that are not pertinent to the operating system 

of a machine being scanned, on the Scan Options tab, enable both the Enable 

Operating System Identification checkbox and the Allow Modules to Be 

Disabled Based on Detected Operating System checkbox. 

• If you wish to scan only hosts that have a specified operating system, on the 

Scan Options tab, enable the Enable Operating System Identification 

checkbox and enable the Scan by OS checkbox. Then select operating 

systems to be scanned in the listbox to highlight them. 

3. Select the Scan>Begin Scan menu item to start the scan. Alternatively, click the 

Begin Scan toolbar icon. 



The scan will begin. The progress of the scan will be displayed on the Scan Progress 

tab. In the Currently Running Hosts and Modules pane, the hosts currently being 

scanned will be displayed, along with the operating system detected and the status of 

the scan. In addition, a status bar will show scan progress. A running count of the 

number of vulnerabilities identified, the number of hosts to be scanned, and the 

number of hosts completed will also be displayed. 

Results of the scan, including vulnerabilities that are found and any module output, 

will be displayed on the Scan Results tab. 

You can view (but not change) the scan settings and module settings during a scan on 

the Current Configuration tab. 

Scanning Over a Modem 

Hosts that are accessible via analog modem and hosts that are on the other side of a 

firewall which prevents you from routing to them are called unroutable hosts. To scan 

unroutable hosts, follow the steps below. 

To run scans via an analog modem connection, you must first do the following: 



2. Switch to the Engine Options tab. Then enable the Scan Unroutable Hosts 

checkbox. 

NOTE: Certain modules require a raw Ethernet device to run. These modules 

will not function over an analog dialup connection. 

3-28 Chapter 3


Viewing Currently Running Modules 

You can view the currently running modules on a particular host while a scan is in 

progress. 

To view currently running modules, do the following: 

1. Click the Scan Progress tab. 

On the Scan Progress tab, in the Currently Running Hosts and Modules pane, the 

hosts currently being scanned will be displayed. 

Above the Currently Running Hosts and Modules pane, the following information 

will also be displayed: 

• Hosts to Scan: number of hosts to be scanned 

• Hosts in Progress: number of hosts completed including skipped hosts 

• Hosts Scanned: number of hosts scanned (not including skipped hosts) 

• Vulnerabilities: total number of vulnerabilities found on all machines 

scanned 

• Start Time: start time of scan 

• Elapsed Time: elapsed time of scan 

2. In the Currently Running Hosts and Modules pane, double click on a desired host. 

The Currently Running Modules for Host Number dialog box will open. The host 

number is the ID number of the host listed in the Currently Running Hosts and 

Modules pane. 

The dialog box will list the modules currently running on that host. 



Stopping Currently Running Modules 

You can stop a currently running module on a particular host while a scan is in 

progress. You can stop one module at a time. 

To stop a currently running module, do the following: 

1. Switch to the Scan Progress tab of CyberCop Scanner. In the Currently Running 

Hosts and Modules pane, the hosts currently being scanned will be listed. 

2. In the Currently Running Hosts and Modules pane, double click on a desired host 

to open the Currently Running Modules for Host Number dialog box. The dialog 

box will list the modules currently running on that host. 

3. To stop a currently running module, in the Currently Running Modules for Host 

Number dialog box, click on a module to highlight it. Then click the Stop Module 

button. 

The selected module will be stopped and removed from the list for that host. 

NOTE: Repeat this step if you want to delete more than one module. 

4. When you are finished, click OK to close the dialog box. 

3-30 Chapter 3


Viewing Results During a Scan 

You can view scan results in real time during a scan using the Scan Results tab of 

CyberCop Scanner. You can hide and redisplay the Scan Results tab. 

To view results during a scan on the Scan Results tab, follow these steps: 

1. To display the Scan Results tab, do the following: 

• Select the Configure>Application Settings... menu item. The Application 

Settings dialog box will open. 

• In the Main Screen Display Attributes section of the dialog box, enable the 

Show Scan Results checkbox. The Scan Results tab will be displayed. 

NOTE: For large scans, it is recommended that the Show Scan Results checkbox 

be disabled. Otherwise, resource starvation may occur that can cause problems 

during a scan. 

The Scan Results tab includes three listboxes: Vulnerabilities, Module Output, 

and Module Descriptions. You can expand one listbox relative to another by 

clicking and dragging the horizontal or vertical line which separates them. 

2. On the Scan Results tab, in the Vulnerabilities listbox, an indexed tree view lists 

each host scanned. Click on a node in the tree view to expand it. A list of the 

vulnerabilities found on that host will be displayed. Vulnerabilities are listed by 

module number. 

3. Click on a vulnerability module number to highlight it. A detailed description of 

the module will be displayed in the Module Description listbox, including 

suggestions for fixes. Any module output generated by that module running on the 

selected host will be displayed in the Module Output listbox. 

4. Certain modules are "Fix It" modules used in conjunction with Windows NT 

Registry checks. These modules have a Fix It portion that can perform a fix to 

Registry values to correct potential vulnerabilities detected by CyberCop Scanner. 



NOTE: Important! The Fix It modules work in conjunction with specific 

vulnerability checks on scanned machines. Fix It modules can be used to fix 

vulnerable registry settings found on scanned machines. As with any change to 

Windows registry settings, if the Fix It modules are not used correctly they can 

potentially have a serious impact on the normal functioning of scanned systems 

including (but not limited to) greatly restricted ability to participate on a 

network. You must keep a careful record of the machines to which you apply Fix 

It modules so that you can, if necessary, undo the changes later. CyberCop 

Scanner does not log or report the machines on which Fix It modules were 

applied, nor does it log or report on whether or not the fix was successful on these 

machines. 

NOTE: In order to use the Fix It modules to perform a fix, you must have 

domain administrator access on the target host. 

Canceling a Scan 

If a host has vulnerabilities for which a Fix It module is available, the host node will 

display a wrench icon. Expand a node which displays a wrench icon. Vulnerabilities 

foundonthathostforwhichaFixItmoduleisavailablewillalsobeshowninthetree 

view with a wrench icon. Modules that do not display a wrench icon do not have a Fix 

It portion. 

After a scan is completed, you can enable the Fix It portion for individual 

vulnerabilities and hosts. Then you can perform the fixes. For information on enabling 

and running Fix It modules, see the section, “Using Fix It Modules,” later in this 

chapter. 

To cancel a scan, do the following: 

Select the Scan>Cancel Scan menu item. Alternatively, click the Cancel Scan toolbar 

icon. 

Results from the unfinished scan will be saved in the event database specified in the 

current configuration file. You can also view results from the unfinished scan on the 

Scan Progress tab. 

When you cancel a scan before it is finished, CyberCop Scanner generates a text file 

UnScannedHosts.txt located at c:\Program Files\Network Associates\SMI 

Products\CyberCop Scanner. This text file lists hosts that were not yet scanned when 

the scan was canceled. You can use this text file as a host file if you wish to resume 

the scan later. 

3-32 Chapter 3


Scanning Multiple Hosts 

This section gives step-by-step procedures for scanning multiple hosts. You will also 

learn the syntax for specifying a range of hosts by their IP addresses. 

About Scanning Multiple Hosts 

You can configure CyberCop Scanner to scan multiple hosts. You can do this in two 

ways: 

• by specifying a Host Range 

• by specifying a Host File 

Both these options allow you to enter a range of IP addresses to be scanned, as 

described below. 

Specifying a Host Range 

A host range is a group of hosts specified as a range of IP addresses. To use a host 

range, you specify hosts to be scanned by entering a range of IP addresses in the Range 

textbox on the Scan Settings tab. CyberCop Scanner will scan each host with an IP 

address in this range. If you have chosen to skip unresponsive hosts, CyberCop 

Scanner will attempt to scan a host first and then stop if the host is unresponsive. 

NOTE: To skip unresponsive hosts during a scan, select the Configure>Scan 


Switch to the Engine Options tab. In the Host Query section of the dialog box, 

disable the Scan Unresponsive Hosts checkbox (no checkmark in box). 

Specifying a Host File 

A host file is a text file listing hosts to be scanned. To use a host file, you specify a 

group of hosts to be scanned by entering a range of IP addresses into a text file. 

CyberCop Scanner will scan each host listed in the host text file. If you have chosen to 

skip unresponsive hosts, CyberCop Scanner will attempt to scan a host first and then 

stop if the host is unresponsive. 

A host file allows you to list hosts in a text file and save the list for a future scan. 

CyberCop Scanner includes a default host text file called hosts.txt, located at 

c:\Program Files\Network Associates\SMI Products\CyberCop Scanner. By default, 

this file includes only the local host. You can edit the file using Notepad to add hosts 

to be scanned. 



Entering a Range of IP Addresses 

IP address ranges can be specified as in the following examples: 

10.0.0.1 scans one host. 

10.0.0.10-20 scans the range between 10 and 20 inclusive. 

10.0.0.10-20;-10.0.0.15 scans the range between 10 and 20, excluding host 15. 

10.0.0.1,10.0.0.2 scans two hosts (10.0.0.1 and 10.0.0.2) in the order listed. 

10.0.0.1;10.0.0.2 scans the same two hosts (10.0.0.1 and 10.0.0.2) in the order 

listed. 

10.0.0.1,2,4 scans three hosts (10.0.0.1, 10.0.0.2, and 10.0.0.4). 

10.0.0.0/24 scans a class C range 10.0.0.1-10.0.0.254. 

10.0.0.0/16 scans 10.0.1.0-10.0.254.254. 

127.0.0.1 scans the local host, which is running CyberCop Scanner. 

You can filter out a host or host(s) from a range of IP addresses by placing a minus 

sign (-) directly in front of the IP address you wish to exclude, as in the third example 

above. 

You can specify multiple single host IP addresses by separating them with a 

semi-colon, as in the fifth example above. 

You can specify a series of IP addresses on the same class C network by using commas 

to separate the last octet, as in the sixth example above. 

NOTE: Do not place leading or trailing spaces in the IP address line. 

3-34 Chapter 3


Scanning Using a Host Range 

To scan hosts by entering an IP address range, do the following: 



2. On the Scan Settings tab, enable the Host Range radio button. Enter IP addresses 

(x.x.x.x where "x" is substituted with an IP number, 1-254) corresponding to 

target hosts on a network in the Range textbox. To learn how to specify a range of 

IP address, see the earlier section, “Entering a Range of IP Addresses.” 

3. Start a scan using the Scan>Begin Scan menu item. Alternatively, click the Begin 

Scan toolbar icon. 

Scanning Using a Host File 

To scan multiple hosts listed in a text file (also called a host file), do the following: 



2. On the Scan Settings tab, enable the Host File radio button. The File Name textbox 

will be enabled. 

3. The host file is a text file (.txt). You can edit the default host file, hosts.txt. 

Alternatively, you can create a new host file or load a different host file. 

• To create a new host file, enter a filename in the File Name textbox. 

• To load a different host file, click the "..."buttonnexttotheFileName 

textbox. The Open dialog box will be displayed, allowing you to load an 

existing host file (.txt). 

NOTE: If you cancel a scan before it is finished, CyberCop Scanner generates a 

text file UnScannedHosts.txt located at c:\Program Files\Network 

Associates\SMI Products\CyberCop Scanner. This text file lists hosts that were 

not yet scanned when the scan was canceled. You can use this text file as a host 

file if you wish to resume the scan later. 

4. To edit a host file, enter a filename in the File Name textbox. Then click the Edit 

File button. The text file will open in Notepad, allowing you to make changes to 

the file. Save the changes to the text file and then close the file. 

To learn how to specify a range of IP addresses, see the earlier section, “Entering 

a Range of IP Addresses.” 

5. Then start a scan by selecting the Scan>Begin Scan menu item. Alternatively, 

click the Begin Scan toolbar icon. 



Using Fix It Modules 

Certain modules are "Fix It" modules used in conjunction with Windows NT Registry 

checks. These modules have a Fix It portion that can perform a fix to Registry values 

to correct potential vulnerabilities detected by CyberCop Scanner. After a scan is 

completed, you can enable the Fix It portion for individual vulnerabilities and hosts. 

Then you can perform the fixes. 











machines. 



To enable or disable the Fix It portion, you use the Scan Results tab after a scan is 

completed. The Scan Results tab displays an indexed tree view of vulnerabilities found 

for each host scanned. If a host has vulnerabilities for which a Fix It module is 

available, the host node in the indexed tree view displays a wrench icon. 

When you expand a node which displays a wrench icon, you will see that some of the 

vulnerabilities listed also display a wrench icon. If a vulnerability displays a wrench 

icon, then a Fix It module is available for that vulnerability. 

NOTE: You can also see which modules have Fix It portions on the Current 

Configuration tab of CyberCop Scanner. In the Selected Modules table, in the 

Fix column, a Yes value indicates that a Fix It portion is available. (A Yes value 

in this column does not mean that the Fix It portion has been enabled.) 

To use Fix It modules, you follow these general steps: 

1. First perform a scan and then view results to determine if any vulnerabilities that 

were found have Fix It modules associated with them. 

2. Enable or disable the Fix It portions of these modules for the vulnerabilities and 

hosts you choose. 

3-36 Chapter 3


3. Begin a second scan to apply the enabled fixes. You must have domain 

administrator access on the target hosts in order to apply the fixes. 

Performing an Initial Scan 

To perform a scan to determine if Fix It modules can be used, follow these steps: 

1. First select modules that have Fix It portions for a scan. To see whether a selected 

module has a Fix It portion, switch to the Current Configuration tab. In the 

Selected Modules table, in the Fix column, a Yes value indicates that a Fix It 

portion is available. For example, certain modules in module classes 16000, 

18000, and 24000 have Fix It portions. 

2. Next perform a scan using these and any other modules you wish to run. You can 

view results in real time during a scan using the Scan Results tab. 

3. After the scan is completed, look at the results displayed on the Scan Results tab. 

If a host node in the indexed tree view displays a wrench icon, expand the node to 

list the vulnerabilities found on that host. 

Vulnerabilities for which a Fix It module is available will also display a wrench 

icon. 

Next you will enable or disable the Fix It portions for these vulnerabilities as desired. 

Enabling and Disabling Fix It Modules 

To enable and disable the Fix It portions of modules, you use the Scan Results tab. 

Follow these steps: 

1. In the Vulnerabilities listbox, expand a host node in the indexed tree view which 

displays a wrench icon. Individual fixes available for vulnerabilities found on that 

host will also display wrench icons. 

2. To enable all fixes for a particular host, click the wrench icon corresponding to the 

host node. A blue checkmark will be added over the wrench icon to indicate that 

all the available fixes are enabled for that host. Each available fix for that host will 

also display a wrench icon with a blue checkmark. 

3. To disable all fixes for a host, click on the wrench icon corresponding to the host 

node again to remove the blue checkmark. All the available fixes for that host will 

be disabled. 

4. To enable or disable individual fixes for vulnerabilities found on a host, in the 

expanded tree view, click a wrench icon for an individual fix to either enable it 

(blue checkmark added) or disable it (no blue checkmark). 



Alternatively, right-click in the Vulnerabilities listbox to open a context menu 

containing menu items which allow you to select and unselect fixes. For more 

information about the context menu items, refer to CyberCop Scanner Help, online 

help for CyberCop Scanner, accessible by selecting the Help>Help Topics... menu 

item. 

Next you will run the enabled Fix It modules to perform the fixes. 

Running Fix It Modules 

To run the Fix It portions of the selected modules, choose the Scan>Begin Fix menu 

item. Alternatively, click the Begin Fix toolbar icon. 

The Scan Progress tab will move to the front. In the Scan Progress Messages pane, the 

following information will be listed: 

• the host to which a fix is being applied 

• the module number of the fix 

The Scan Progress tab will report progress as the fixes are performed. 

3-38 Chapter 3

Exiting CyberCop Scanner 


To exit CyberCop Scanner, select the File>Exit menu item. CyberCop Scanner will 

close. 




You should now be familiar with the setup procedures required for performing a scan. 

You can: 

• configure a scan and select which modules and module classes are used for a scan 

• modify a scan configuration file, or load a different one 

• create scan settings templates and module configuration templates 

• start a scan or a probe 

• view currently running modules, and stop a currently running module if you 

choose to 

• view results during a scan 

• stop a scan in progress 

You can now go to Chapter 4, “Working With Scan Results.” Chapter 4 will lead you 

through the basics of viewing your scan results, and generating scan reports and 

network maps. 

3-40 Chapter 3

4Working With Scan Results 

4 

Introduction 

In Chapter 3, you learned how to perform a scan of your local host as well as how to 

scan multiple hosts. This chapter will lead you through working with your scan results. 

You will learn the following: 

• how to save scan results in a local event database 

• how to view scan results during a scan, and how to view scan results after a scan 

in the event database using the report viewer 

• how to query the event database to filter and sort scan records 

• how to generate and preview reports, including differential reports, and how to 

customize reports to specify which scan records are included in a report and how 

database fields will be sorted 

• how to export and print reports 

• how to generate a network map, which is a visual map of the scanned network 

Once you complete this chapter, you will be familiar with the above ways to work with 

your scan data. 


Working With Scan Results 

Saving Scan Results 

This section describes how scan results are saved in a local event database and explains 

how to specify which event database to use for storing results. 

About Scan Results 

During a scan, CyberCop Scanner scan results are automatically saved in a local event 

database. Data from unfinished scans is also saved in the event database. By default, 

the event database is named events.mdb and is located at c:\Program Files\Network 

Associates\SMI Products\SMI\Shared\EventDB. 

Scan results may also include a network map, which is a 3-dimensional rendition of 

links between the local host and target hosts. By default, the network map is saved with 

the filename results.map, located at c:\Program Files\Network Associates\SMI 

Products\CyberCop Scanner. 

Unless you specify otherwise, scan results and network maps are saved in the default 

locations given above. For example, if you perform ten scans, the results of the ten 

scans are appended to the default event database, events.mdb. If you want to store the 

results of each scan separately, you can specify a separate event database for each scan. 

This way, you can open different event databases as you wish to generate reports. 

After a scan, you can view scan results stored in the event database using the SMI 

report viewer. You can also generate reports that can be printed and exported into other 

applications. You can view network maps using the Reports>Network Map... menu 

item of CyberCop Scanner. 

About the Event Database 

The Security Management Interface stores CyberCop Scanner security results in a 

local event database. The database is called an event database because it stores a 

record of each security event, or vulnerability, logged by CyberCop Scanner. 

By default, the local event database is called events.mdb and it is located at 

c:\Program Files\Network Associates\SMI Products\SMI\Shared\EventDB. This 

default event database is used both for saving scan results and generating reports. If 

you wish, you may specify a different event database for saving scan results. In this 

way, you can save results from different scans in separate event databases. You may 

also specify which event database is used to generate a report. 

On the SMI console tree of the Security Management Interface, the local event 

database is represented by a node called Event Database (events.mdb), whichis 

listed under the Services node. 

4-2 Chapter 4


Saving Results in an Event Database 

By default, scan results are automatically saved in the local event database 

events.mdb, located at c:\Program Files\Network Associates\SMI 

Products\SMI\Shared\EventDB. You may specify a different event database where the 

results of the next scan will be saved. You can do this in two ways: 

• from within CyberCop Scanner, using the Configure>Scan Settings... menu item 

• from within the SMI console window, using the AgentInfo utility 


In CyberCop Scanner 

To specify an event database for saving results from within CyberCop Scanner, follow 

these steps: 

1. From within CyberCop Scanner, select the Configure>Scan Settings... menu 

item. The CyberCop Scanner Setup dialog box will open, with the Scan Settings 

tab in front. 

2. On the Scan Settings tab, in the Scan Results textbox, the default output database 

will be listed. Click the Browse button to specify a different event database name. 

3. Enter the name of the event database you wish to use to store results for the next 

scan. You may choose an existing event database or specify a new one. The event 

database will be given a .mdb file extension. Then click Save. 

4. On the Scan Settings tab, click Apply to apply the changes. Or, click OK to apply 

the changes and also close the dialog box. 

During the next scan, CyberCop Scanner security results will be stored in the event 

database you specified. 


In the SMI Console Window 

To specify an event database for saving results from within the SMI console window, 

follow these steps: 

1. Open the SMI console window using the Start menu (Start>Programs>Network 

Associates>Security Management Interface). 

2. ClickontheWorkspace>Local Computer>AgentInfo>Event 

Configuration>Database node, where Local Computer is the host name of your 

local computer. 

The right pane of the SMI console window will display screen controls allowing 

you to change the default path to the local event database. 



3. Under the Database Path textbox, click the Change... button. The Database Path 

textbox will be enabled, allowing you to specify a different event database where 

security results will be saved. 

4. Enter the name and location of the event database you wish to use to store results 

for the next scan. The event database will be given a .mdb file extension. Then 

click OK. 

During the next scan, CyberCop Scanner security results will be stored in the event 

database you specified. 

4-4 Chapter 4


Configuring an Event Database 

From within the SMI console of the Security Management Interface, you can configure 

an event database to do the following: 

• specify where CyberCop Scanner security results will be stored for the next scan 

• enable automatic event database cleanup of events older than a specified age 

NOTE: Event forwarding to a remote event database is not supported in this 

release of CyberCop Scanner. 

To enable automatic cleanup of old events in an event database, do the following: 



2. On the SMI console tree, select the Workspace>Local 

Computer>AgentInfo>Event Configuration>Database node, where Local 

Computer is the host name of the local computer. 

The right pane of the SMI console window will display screen controls allowing 

you to change the database cleanup properties. 

3. Click the Change… button next to the Database Cleanup box. 

The Database Cleanup Settings dialog box will open, allowing you to specify the 

following cleanup settings: 

• the time when daily cleanups will begin 

• the age of events that will be removed 

4. Enable the checkbox to enable automatic database cleanup. Then click OK. 



Viewing Scan Results 

This section explains how to view scan results during a scan and how to view results 

stored in an event database after a scan is completed. This section also describes the 

four tabs of the report viewer and explains how they are used to view results. You can 

also query the event database to filter and sort scan records, as described below. 

Viewing Results During a Scan 

You can view scan results in real time during a scan using the Scan Results tab of 

CyberCop Scanner. You can hide and redisplay the Scan Results tab. 

To view results during a scan on the Scan Results tab, follow these steps: 

1. To display the Scan Results tab, do the following: 

• Select the Configure>Application Settings... menu item. The Application 


• In the Main Screen Display Attributes section of the dialog box, enable the 

Show Scan Results checkbox. The Scan Results tab will be displayed. 

NOTE: For large scans, it is recommended that the Show Scan Results checkbox 

be disabled. Otherwise, resource starvation may occur that can cause problems 

during a scan. 

The Scan Results tab includes three listboxes: Vulnerabilities, Module Output, 

and Module Descriptions. You can expand one listbox relative to another by 

clicking and dragging the horizontal or vertical line which separates them. 

2. On the Scan Results tab, in the Vulnerabilities listbox, an indexed tree view lists 

each host scanned. Click on a node in the tree view to expand it. A list of the 

vulnerabilities found on that host will be displayed. Vulnerabilities are listed by 

module number. 

3. Click on a vulnerability module number to highlight it. A detailed description of 

the module will be displayed in the Module Description listbox, including 

suggestions for fixes. Any module output generated by that module running on the 

selected host will be displayed in the Module Output listbox. 

4. Certain modules are "Fix It" modules used in conjunction with Windows NT 

Registry checks. These modules have a Fix It portion that can perform a fix to 

Registry values to correct potential vulnerabilities detected by CyberCop Scanner. 

4-6 Chapter 4












machines. 



If a host has vulnerabilities for which a Fix It module is available, the host node will 

display a wrench icon. Expand a node which displays a wrench icon. Vulnerabilities 

found on that host for which a Fix It module is available will also be shown in the tree 

view with a wrench icon. Modules that do not display a wrench icon do not have a Fix 

It portion. 

After a scan is completed, you can enable the Fix It portion for individual 

vulnerabilities and hosts. Then you can perform the fixes. For information on enabling 

and running Fix It modules, see the section, “Using Fix It Modules,” in Chapter 3. 



Viewing Results in an Event Database 

After a scan is completed, you can view events in the local event database using the 

report viewer. The report viewer is located in the SMI console window of the Security 

Management Interface. You can open the report viewer in two ways: 

• from within CyberCop Scanner using the Reports>View Results... menu item 

• from within the SMI console using the Workspace>Services>Event Database 

(events.mdb)>CyberCop Scanner node on the console tree 

Opening the Report Viewer: In CyberCop Scanner 

To open the report viewer from within CyberCop Scanner, do the following: 

1. From within CyberCop Scanner, select the Reports>View Results... menu item. 

A dialog box will open allowing you to select a pre-existing event database. 

2. Select an event database and then click Open. The SMI console window will open, 

displaying the report viewer. 

• If you selected the default event database events.mdb, the report viewer will 

be displayed with the Results List tab in front. 

• If you selected a different event database, the name of the event database will 

be displayed as a single node labeled Event Database (filename.mdb), 

where filename.mdb is the name of the event database you selected. 

Double-click on this node to expand it, and then double-click on the 

CyberCop Scanner node. The report viewer will be displayed, with the 

Results List tab in front, allowing you to select a report template. 

3. When the report viewer opens, the SMI console tree will be hidden. If you wish, 

you can display the SMI console tree using the Show/Hide Console Tree toolbar 

icon. 

Opening the Report Viewer: In the SMI Console Window 

To open the report viewer from within the SMI console window, do the following: 

1. Start the SMI console window using the Start menu (Start>Programs>Network 


2. On the SMI console tree, click on the Workspace>Services>Event Database 

(events.mdb)>CyberCop Scanner node. 

The report viewer will be displayed in the right pane of the SMI console window, 

with the Results List tab in front, allowing you to select a report template. The 

filename of the event database currently being viewed is indicated by the name of 

the node: 

4-8 Chapter 4


• If the node is named Event Database (events.mdb), the report viewer will 

display events in the default event database, called events.mdb and located in 

the directory c:\Program Files\Network Associates\SMI 

Products\SMI\Shared\EventDB. 

• If the node lists a different event database as Event Database 

(filename.mdb), where filename.mdb is the name of the event database you 

selected, the report viewer will display events in that database. 

3. You can change which event database is opened in the report viewer by doing the 

following: 

• In the SMI console window, select the Snap-in>Settings... menu item. The 


• Switch to the Event Database tab. In the Event Database Path textbox, enter 

the path to the event database whose results you wish to view. Or, click the 

Browse button to select an event database. 

• Then click OK. You will be prompted to restart the SMI console. To do this, 

click the Close button at the top right of the SMI console window. Then 

restart the SMI console using the Start menu, and repeat Step 2 above. 



Using the Report Viewer Tabs 

The Results Tab 

The report viewer includes four tabs which allow you to view security results stored in 

the local event database, select a report template to generate a report, and query the 

event database. You can also filter and sort results in the event database. 

The report viewer is located in the SMI console window of the Security Management 

Interface. You can open the report viewer in two ways: 

• from within CyberCop Scanner by selecting the Reports>View Results... menu 

item 

• from within the SMI console by double-clicking the 

Workspace>Services>Event Database (events.mdb)>CyberCop Scanner 

node on the SMI console tree 

The following four tabs are described further below: 

• Results tab 

• Report List tab 

• Chart tab 

• Query tab 

The Results tab displays information about each security result, or vulnerability, 

logged by CyberCop Scanner in the event database. This feature allows you to view 

results in the event database without generating a report. 

On the Results tab, each row represents one database record. Each column represents 

a database field within a record. Note that some database fields on the Results tab are 

not used by CyberCop Scanner. These fields will be blank. You can click and drag 

columns (to the left and right) on the Results tab to resize them. You can also click and 

drag rows (up and down) to resize them. 

You can filter and sort the results displayed on the Results tab by querying the event 

database. In this way, you can select which database fields are displayed, in which 

order. To learn more about querying the database, see the section, “Querying an Event 

Database,” later in this chapter. 

4-10 Chapter 4


The Report List Tab 

The Report List tab allows you to generate a report. The Report List tab lists several 

pre-defined report templates for use with CyberCop Scanner, described in Table 4-1 

below. 

Table 4-1. The report templates listed on the Report List tab. 

This report template 

Differential Report by 

Host 

Differential Report by 

Scan Session 

Graphical Summary 

Report by 

Complexity 

Report by Ease of Fix 

Report by Host 

Report by Impact 

Report by OS Type 

Report by Policy 

Violation 

Report by Popularity 

Report by Risk 

Factor 

Does this 

Allows you to compare results for two hosts specified 

by IP address. 

Allows you to compare results for two scan sessions 

specified by date and time. 

Provides a graphical summary report with pie charts 

for different report categories (Complexity, Ease of 

Fix, Impact, Popularity, Risk Factor, Root Cause). 

For example, the Risk Factor pie chart shows the 

proportion of vulnerabilities found with Low, 

Medium, and High risk factors. Graphical Summary 

is a management report which contains only general 

network status information for a scan. 

Organizes results by the difficulty involved in 

exploiting a vulnerability (Low, Medium, High). 

Organizes results by the ease of fixing a vulnerability 

(Trivial, Simple, Moderate, Difficult, Infeasible). 

Organizes results by host IP address. 

Organizes results by the specific threat posed by a 

vulnerability (System Integrity, Confidentiality, 

Accountability, Data Integrity, Authorization, 

Availability, Intelligence). 

Organizes results by operating system type. 

Organizes results by type of policy violation. 

Organizes results by the likelihood that a 

vulnerability will be exploited (Obscure, Widespread, 

Popular). 

Organizes results by the severity of the threat posed 

by a vulnerability (Low, Medium, High). 



Report by Root 

Cause 

Report by Scan 

Session 

Report by 

Vulnerability ID 

Vulnerability Guide 

Organizes results by the underlying cause of a 

vulnerability (Configuration, Implementation, 

Design). 

Organizes results by scan session date and time. 

Organizes results by module number. 

(Not a report template) Displays an indexed tree view 

of all modules in the Vulnerability Database. Click on 

a module number to view a detailed module 

description. The Vulnerability Guide can also be 

printed as a report. 

On the Report List tab, when you select a report template, you are asked whether you 

wish to customize the report. Customizing a report allows you to specify which 

database records will be included in the report, and which database fields will be 

included for those records. You can also specify how the database fields will be sorted 

(i.e., in which order they will be displayed). You can also choose to remove repeated 

information from the body of a report and display it in an appendix at the end of the 

report. To learn more about customizing a report, see the section, “Customizing a 

Report,” later in this chapter. 

When you generate a report, it is first displayed in a preview window which includes 

an indexed tree view of sections in the report. You can use the indexed tree view to 

navigate quickly to different sections in the report. You can also filter the previewed 

report to create sub-reports for easier viewing. To learn more about using the preview 

window, see the section, “Previewing a Report,” later in this chapter. 

After generating a report, you can print it or export it for use by another application. 

Reports can be exported in a variety of formats, including DOC (Microsoft Word), 

RTF (Rich Text Format), and HTML (Web Browser). To learn how to print a report, 

see the section, “Printing a Report,” later in this chapter. To learn more about exporting 

reports for use by another application, see the section, “Exporting a Report,” later in 

this chapter. 

4-12 Chapter 4


The Chart Tab 

The Chart tab provides a graphical representation of the database fields displayed on 

the Results tab. 

NOTE: The Chart tab is intended for use with other NAI security applications. 

It is not intended for use with CyberCop Scanner. 

The Query Tab 

The Query tab allows you to select which database fields in the event database are 

displayed on the Results tab. You can also sort these fields in the order you choose. 

The Query tab supports any valid SQL statement. To learn more about querying an 

event database, see the section, “Querying an Event Database,” later in this chapter. 



Querying an Event Database 

You can filter and sort the scan records displayed on the Results tab by querying the 

event database. In this way, you can select which database fields (columns) are 

displayed and in which sort order. To query the event database, you use the Query tab 

of the report viewer. The Query tab supports any valid SQL statement. 

To use the Query tab to query the event database, do the following: 

1. In the report viewer, switch to the Query tab. Each column on the Query tab 

represents a filter for data displayed on the Results tab. 

2. On the Query tab, in the Versions box at the top right of the screen, make sure that 

the current version number of CyberCop Scanner is selected and highlighted. 

3. At the far left of the Query tab, note the following rows which are labeled: 

• Field: Specifies which database fields (columns) are displayed on the Results 

tab. If an asterisk appears in the upper left, then all columns will be displayed 

on the Results tab. 

• Sort: Specifies the sort order (ascending or descending) of data displayed on 

the Results tab. 

• Visible: Specifies whether the data will be included (filtered in) or excluded 

(filtered out) on the Results tab. 

• Criteria: Specifies criteria for displaying data on the Results tab. The query 

expression must be entered into the cell manually. 

• Or: Specifies alternative criteria for displaying data on the Results tab. 

4. To specify which database fields (columns) to display on the Results tab, on the 

Query tab, click in the first cell of the first column, in the row labeled Field. 

A dropdown list will be displayed. The list includes all the database fields in the 

event database. Select one database field to display. The database field you select 

will be listed in the cell. 

You can repeat this step for multiple columns on the Query tab, to select additional 

database fields to be included. 

5. Next you can specify a sort order for the specified data. Click in the second cell of 

the first column, in the row labeled Sort. 

A dropdown list will be displayed. Select either an ascending or descending sort 

order. The sort order you choose will be displayed in the cell. 

4-14 Chapter 4


NOTE: The Query tab supports sorting of numeric fields and small comment 

fields in ascending or descending order. Sorting of Memo fields (large text fields 

such as module descriptions) is not supported. To avoid sorting a Memo field, 

leave the Sort cell underneath it blank. 

You can repeat this step for multiple columns on the Query tab, for each database 

field you have selected. The data will first be sorted using the sort order specified 

in the first column, and then sorted using the sort order specified in the second 

column, and so on for all columns. 

6. To specify whether data will be included (filtered in) or excluded (filtered out) on 

the Results tab, click in the third cell of the first column, in the row labeled 

Visible. 

An X will appear, indicating that the data will be included (filtered in). Click again 

to remove the X if you wish the data to be excluded (filtered out). 

7. Next you can specify filtering criteria for each filter column using the Criteria and 

Or: rows. In this way, you can specify criteria in the form "Include (or exclude) 

the data only if this applies, or this, or this." 

For example, to specify the criterion include (or exclude) the data "only if the IP 

address equals x.x.x.x," where x.x.x.x is the IP address, you would enter the 

following in the Criteria field: 

="10.0.0.1" 

where 10.0.0.1 is the IP address. 

NOTE: The query expression you enter must use the proper syntax. The Query 

tab supports any valid SQL statement. 

8. Switch to the Results tab. The data you specified using the Query tab will be 

displayed. 



Generating Scan Reports 

This section gives step-by-step procedures for generating, customizing, and 

previewing scan reports, including differential reports. It also explains how to export 

and print reports. 

Selecting an Event Database to Generate a Report 

By default, the report viewer uses the local event database events.mdb to display 

CyberCop Scanner results and generate reports. You can select a different, pre-existing 

event database to view results and generate a report. You can do this in two ways: 

• from within CyberCop Scanner using the Reports>View Results... menu item 

• from within the SMI console using the Snap-in>Settings... menu item 


In CyberCop Scanner 

To specify an event database from within CyberCop Scanner to view results and 

generate a report, do the following: 

1. In CyberCop Scanner, select the Reports>View Results… menu item. A dialog 

box will open allowing you to select a pre-existing event database. 

2. Select the event database whose results you wish to view and use to generate a 

report, and then click Open. The SMI console window will open, displaying the 

report viewer. 

3. If you selected a different database from the default database, the name of the 

event database will be displayed as a single node labeled Event Database 

(filename.mdb), where filename.mdb is the name of the event database you 

selected. Double-click on this node to expand it, and then double-click on the 

CyberCop Scanner node. 

The report viewer will open, with the Results List tab in front, allowing you to select 

a report template. Results from the event database you selected will be used when you 

generate a report. 

4-16 Chapter 4



In the SMI Console Window 

To specify an event database from within the SMI console window to view results and 

generate a report, do the following: 


Associates>Security Management Interface). The SMI console window will open, 

with the Workspace node highlighted. 

2. In the SMI console window, select the Snap-in>Settings… menu item. The 


3. Switch to the Event Database tab. In the Event Database Path textbox, enter the 

path to the event database whose results you wish to view and use to generate a 

report. Or, click the Browse button to select an event database. 

4. Then click OK. You will be prompted to restart the SMI console. To restart the 

SMI console, click the Close button at the top right of the SMI console window. 

Then restart the SMI console using the Start menu. 

Click on the Workspace node to expand it. Under the Workspace>Services node, 

the event database you selected will now be listed as a node labeled Event 

Database (filename.mdb), where filename.mdb is the name of the event database 

you selected. This event database will now be used to generate reports. 

5. To disconnect from an event database and reconnect to the default event database 

events.mdb, select the Snap-in>Settings… menu item. Then clear the textbox on 

the Event Database tab to leave it blank. Restart the SMI console. 

The default event database events.mdb will now be used to generate reports. 



Generating a Report 

A report is generated using results stored in the default event database events.mdb, 

unless you specify a different event database. You can choose from over ten predefined 

report types for displaying CyberCop Scanner results. 

To generate a report, follow these steps: 

1. Open the report viewer from within CyberCop Scanner by selecting the 

Reports>View Results... menu item 

The report viewer will open with the Report List tab in front. 

The different types of graphical and text-based reports you can generate will be 

listed by name. Following each report name is a brief description of the report. To 

learn more about the different report templates, see the section, “Using the Report 

Viewer Tabs,” earlier in this chapter. 

2. Select the report type you wish to generate by clicking on the report name. The 

Report Preview dialog box will open, asking if you wish to customize the report. 

3. Next you may customize the report, to specify which database records will be 

included, and how the database fields within those records will be sorted. 

Click No if you do not wish to customize the report. Click Yes if you wish to 

customize the report. To learn how to use the options for customizing a report, see 

the section, “Customizing a Report,” later in this chapter. 

NOTE: Differential reports must be customized. See the next section, 

“Generating a Differential Report,” for more information. 

4. Click OK to close the Report Preview dialog box. The report will be generated and 

displayed in the report viewer. 

NOTE: Reports displayed on the Report List tab are not automatically updated 

when CyberCop Scanner detects new security events. To update a report while 

viewing it on the Report List tab, click the Refresh icon on the toolbar. 

5. Next you may preview the generated report. 

To the left of the generated report, the Preview tab will be displayed. The Preview 

tab provides an indexed tree view of sections in the report. You can use the 

indexed tree view to quickly navigate to certain sections in a long report. You can 

also filter a report to generate sub-reports, and you can search a report. To learn 

more about using the Preview tab to navigate and search through a report, see the 

section, “Previewing a Report,” later in this chapter. 

4-18 Chapter 4


6. When you are finished previewing a report, you can print it, export it, or close it. 

To learn about printing and exporting a report, see the sections, “Printing a 

Report” and “Exporting a Report,” later in this chapter. 

To close a report, right-click on the report to open a context menu and select the 

Close command. The list of report types will be redisplayed, allowing you to 

select a different report type. 

NOTE: When you generate and preview a report on the Report List tab, it will 

not be saved when you switch to another tab. Before switching tabs after 

generating a report, it is necessary to print or export the report. 



Generating a Differential Report 

You can generate a differential report which compares scan results for two host IP 

addresses or two scan sessions. To generate a differential report, you select one of the 

following report templates on the Report List tab of the report viewer: 

• Differential Report by Host 

• Differential Report by Scan Session 

To generate a differential report, do the following: 

1. On the Report List tab, click on the differential report template you wish to use to 

generate a report. The Report Preview dialog box will open, allowing you to 

customize the report. 

The options for customizing the report are similar to those described in the 

section, “Customizing a Report.” However, on the Data Selection tab, you are 

now given the option to select either two hosts or two scan sessions to compare. 

2. If you selected Differential Report by Host, on the Data Selection tab, the Host IP 

Address tab will be displayed. Select a host IP address from each of the two 

dropdown lists to compare. 

You may specify other filtering and sorting criteria in addition to the comparison 

criteria, as for other report templates. 

3. If you selected Differential Report by Scan Session, on the Data Selection tab, the 

Scan Session tab will be displayed. Select a scan session from each of the two 

dropdown lists to compare. 

You may specify other filtering and sorting criteria in addition to the comparison 

criteria, as for other report templates. 

4. Click OK to close the Report Preview dialog box. The report will be generated and 

displayed in the preview window. You can preview the report as described in the 

section “Previewing a Report.” 

NOTE: Differential reports take time to generate for large reports. 

4-20 Chapter 4


Customizing a Report 

Customizing a report allows you to specify which database scan records to include in 

the report, and which database fields to include for those records. You can also specify 

how the database fields will be sorted (i.e., in which order they will be displayed). In 

addition, you can choose to remove repeated information from the body of a report and 

display it in an appendix at the end of the report. 

For example, you can specify records to include according to their host IP addresses 

and scan session date and time. Then you can select which database fields will be 

included for each record, such as risk factor and OS type. Finally you can specify the 

sort order for this information, such as sorting by OS type first, and then vulnerability 

ID. Information in the report will then be displayed in this order for each record. 

To customize a report, do the following: 

1. On the Report List tab, select the report type you wish to generate by clicking on 

the report name. The Report Preview dialog box will open, asking if you wish to 

customize the report. 

2. Click Yes to begin customizing the report. The three tabs listed below will be 

displayed. 

Data Selection tab: Allows you to specify which scan records to include in the 

report. Scan records are filtered according to the values in their database fields. 

You can filter for a single value or a range of values. 

• To add a database field to be filtered, in the Database Fields listbox, select the 

field to highlight it and then click Add. A new filtering tab will be displayed, 

allowing you to filter values for the selected database field. By default, the 

database field Scan Session is selected as a starting point, allowing you to 

filter for scan date and time. 

• To remove a database field from the filtering tabs, select the tab to move it to 

the front. Then click Delete. 

• To specify values for filtering a database field, click on a filtering tab to move 

it to the front. From the dropdown listbox, select a filtering operator (any 

value, equal to, one of, less than, between). Depending on the operator you 

choose, additional screen controls will be displayed allowing you to specify 

values. For example, a dropdown listbox may be displayed which lists the 

values you can choose from 



Fields tab: Allows you to specify which database fields within a record to include 

in the report. The Database Fields listbox shows which database fields are 

available to be included in the report. The Report Fields listbox shows which 

database fields will be included in the report. You can move database fields to and 

from the Report Fields listbox. 

• To add a database field to the Report Fields listbox to include it in the report, 

select it in the Database Fields listbox to highlight it. Then click Add. You 

can select more than one database field at a time. 

• To add all database fields, click Add All. 

• To delete a database field from the Report Fields listbox to exclude it from 

the report, select it in the Report Fields listbox to highlight it. Then click 

Delete. 

• To delete all database fields, click Delete All. 

• You can move repeated information (non-host-specific information such as 

module descriptions) from the body of the report into an appendix at the end 

of the report. To do this, in Display Options, enable the Appendix radio 

button. To keep repeated information in the body of the report, enable the 

Embedded in Report Section radio button. 

Group tab: Allows you to specify the sort order of database fields displayed in 

the report. For example, you can sort information by host IP address first, and then 

by vulnerability ID. The sort order will also be used to generate the indexed tree 

view on the Preview tab, which allows you to quickly navigate to sections in the 

report. 

The Database Fields listbox shows which database fields are available to sort by. 

The Sort Fields listbox shows which database fields will be used to sort by. You 

can move database fields up and down in the sort order. You can sort database 

fields in descending or ascending order. 

• To add a database field to sort by, select it in the Database Fields listbox to 

highlight it. Then click Add. You can add database fields to the Sort Fields 

listbox one at a time. 

• To delete a database field from the Sort Fields listbox, click it to highlight it. 

Then click Delete. 

• To change the sort order of database fields in the Sort Fields listbox, select a 

database field to highlight it. Then click Up or Down to move it up or down 

in the list. 

• To specify a descending or ascending sort order, enable the Descending Order 

or Ascending Order radio button. 

4-22 Chapter 4


3. When you have customized the report options as desired, click OK to close the 

Report Preview dialog box. The report will be generated and displayed in the 

report viewer. 

4. Next you may preview the generated report. To learn more about previewing a 

report and using the indexed tree view to navigate through the report, see the next 

section, “Previewing a Report.” 

NOTE: When you generate a report on the Report List tab, it will not be saved 

when you switch to another tab. Before switching tabs after generating a report, 

it is necessary to print or export the report. 



Previewing a Report 

When you generate a report, it is first displayed in preview window which allows you 

to preview the report before exporting or printing it. The preview window includes a 

Preview tab and toolbar icons which allow you to navigate and search through a 

report. 

Certain report templates support being indexed in a tree view in which nodes represent 

different sections of the report. The indexed tree view is displayed as a column under 

the Preview tab, to the left of the generated report. If you chose to customize the report 

before generating it, the indexed tree view will list sections in the report according to 

the sort order you specified. 

The preview window allows you to do the following: 

• navigate quickly to different sections of the report, using the indexed tree view 

• navigate through the report page by page; or navigate to the beginning or end of 

the report 

• filter the report to generate sub-reports for easier viewing 

• in some cases, search the report for certain information 

• refresh the report to include the latest results in the event database 

• export a report 

• print a report 

• resize the previewed report 

• hide and redisplay the indexed tree view 

To use the screen controls of the preview window, follow these steps: 

1. You can navigate through large reports using the indexed tree view. To display a 

particular section of a report, click on the node that has the name of the section 

you want to jump to. For example, depending on the report type, nodes on the tree 

view can represent scan session date and time, host IP address, vulnerability ID, 

or risk factor. You can expand the indexed tree view to list all the sections of a 

report. 

2. You can navigate through a report using the toolbar icons on the lowest toolbar. 

The arrow icons (< and >) allow you to navigate forward and backward, page by 

page. The beginning and end icons (|< and >|) allow you to jump to the beginning 

and end of a report. 

3. You can filter a report to generate sub-reports with their own indexed tree views. 

To filter a report, move the cursor over headings in the report until the cursor 

changes to a magnifying glass. Then double-click on the report heading. 

4-24 Chapter 4


A sub-report will be generated containing only the information pertaining to that 

heading. For example, if you click on a particular host IP address in a report, a 

sub-report with information pertaining only to that host will be generated. If you 

click on a particular vulnerability ID in a report, a sub-report containing 

information on the occurrence of that vulnerability during different scan sessions 

will be generated. 

A new tab will be added for the sub-report. When you click on the new tab, it will 

move to the front and a new indexed tree view will be displayed, allowing you to 

navigate through the sub-report. 

You can switch between the tabs to view different sub-reports, and you can switch 

back to the Preview tab to view the full report. 

To delete a sub-report, move its tab to the front. Then click the delete icon (X) on 

the lowest toolbar (on the far left). 

4. In some cases, you can search a report for certain information. To search a report, 

enter the search item in the textbox next to the binocular toolbar icon on the lowest 

toolbar. Then click the binocular toolbar icon to begin the search. 

NOTE: Only a full report on the Preview tab can be searched. Differential 

reports, sub-reports, and the appendix cannot be searched. Only certain report 

headings, such as host IP address and vulnerability ID, can be searched. 

5. To refresh a report with the latest results from the event database, switch to the 

Preview tab to view the full report. Then click the lightening bolt toolbar icon on 

the lowest toolbar. 

NOTE: The Preview tab must be in front in order to refresh a report. 

6. To export a report for use in another application, click the envelope toolbar icon 

on the lowest toolbar. 

7. To print a report, click the printer toolbar icon on the lowest toolbar. 

8. To resize a report in the preview window, use the percent size (%) dropdown list 

on the lowest toolbar. You can select a size from the dropdown list. You can also 

enter a different size in the textbox. To enter a different size, enter the percent size 

(%) in the textbox and then press the Tab key or click using the mouse. 

9. To hide and redisplay the indexed tree view, click the tree view icon on the lowest 

toolbar. 

10. When you are finished viewing the report, right-click on the report to open a 

context menu and select Close to close the report. The list of report types will be 

redisplayed, allowing you to generate another report type. 



NOTE: When you generate and preview a report on the Report List tab, it will 

not be saved when you switch to another report viewer tab. Before switching tabs 

after generating a report, it is necessary to print or export the report. 

4-26 Chapter 4


Exporting a Report 

Printing a Report 

To export a report, follow these steps: 

1. Click the Export toolbar icon, which is shown as an envelope. The Export dialog 

box will open, providing screen controls for exporting the report. 

2. From the Format listbox, select a desired report format. Example formats include 

DOC (Microsoft Word), RTF (Rich Text Format), and HTML (Web browser). 

3. In the Destination listbox, select the report destination. Destinations include: 

• Disk File for saving the report to your hard disk or a floppy disk. 

• Exchange Folder for saving the report to a folder in the Microsoft Exchange 

Server. 

• Lotus Notes Database for saving the report to a database. 

• Microsoft Mail for e-mailing the report. 

4. Click the OK button to continue. You will be prompted to enter information 

specific to the options you selected. For example, if you choose to export the 

report as a DOC file to the Disk File destination, you will be prompted to enter a 

filename and location on the disk for saving the report. 

You can print a report from the SMI report viewer using one of the following methods: 

• Click the Print icon on the toolbar. 

• From the Snap-in menu, select Print. 



Generating Network Maps 

A network map is a 3-dimensional rendition of a network, including hosts, targets, and 

routers. Network maps are generated during a scan when module no. 1041(Trace 

Route to Host) is selected. You can verify whether module no. 1041 is selected using 

the Configure>Module Settings… menu item. 

Network maps are also generated when you scan a network using the Scan>Begin 

Probe menu item. 

The default filename for a network map is listed in the Configure>Scan 

Settings…>Scan Options tab. By default, it is named results.map unless you change 

it. In order to save the network map to this file, the Host Information File checkbox 

must be enabled. 

Generating a Network Map 

To generate a network map: 

1. To generate a network map during a scan, you must first enable Module no. 1041 

(Trace Route to Host). Select the Configure>Module Settings… menu item. 

Enable the checkbox for module class 1000, and then enable the checkbox for 

module no. 1041. 

2. Next, enter a name for the network map file that will be created. 

To do this, select the Configure>Scan Settings… menu item and switch to the 

Scan Options tab. On the Scan Options tab, the Host Information File textbox will 

list the default network map filename, results.map. You may change the filename 

if you wish. Network maps must be given a .map file extension. 

3. Enable the Host Information File checkbox. This checkbox must be enabled, 

otherwise the network map file will not be saved. 

4. Start a scan using the Scan>Begin Probe menu item. A network map will be 

generated for the scan. 

Alternatively, to generate a network map, begin a network probe using the 

Scan>Begin Probe menu item. When you scan a network using Probe, a network 

map is automatically generated. 

4-28 Chapter 4


Viewing a Network Map 

You can view a network map using the Reports>Network Map… menu item. You 

can practice using the controls of the Network Map screen to move the map around in 

the screen and zoom in and out on the map. 

1. To load a network map, select the Reports>Network Map... menu item. The 

network map file results.map will be opened automatically. 

2. To open a different network map file, click the Load Map... button. A dialog box 

will open allowing you to select a different network map file (*.map). 

3. Practice moving the network map around in the screen as follows: 

• To move the map up a hop in the network, click the Up arrow button. To 

move the map down a hop in the network, click the Down arrow button. 

• Tomovethemaptotheleftahopinthenetwork,clicktheLeft arrow button. 

To move the map to the right a hop in the network, click the Right arrow 

button. 

• The Network Map screen can automatically move the map around in the 

screen. Click the Start Fly-Through button to see what results. To turn off 

the fly-through option, click the Stop Fly-Through button. 

4. Next try using the zoom functions of the screen. Zoom in on the network map by 

clicking the + Magnifying Glass button. Zoom out on the map by clicking the 

–MagnifyingGlassbutton. 

5. To close the Network Map screen, click the Close button at the top right of the 

screen. 




Now that you have completed the tutorials in Chapters 3 and 4, you should be familiar 

with the basics of using CyberCop Scanner. 

• You can set up a configuration file. 

• You can start and stop a scan or a probe. 

• You can select the module groups and modules used for a scan. 

• You can view scan results and query an event database. 

• You can generate and preview scan reports, and you can customize reports to 

specify which scan records will be included and how they will be sorted. 

• You can generate a network map. 

You can go on to the remaining tutorial chapters, which describe how to use more 

advanced features of CyberCop Scanner. Or, you can practice taking more scans using 

what you have learned in Chapters 3 and 4. 

4-30 Chapter 4

5Using Brute Force Password 

Guessing Functions 

Introduction 

5 

CyberCop Scanner includes two programs that use brute force password guessing 

functions. These brute force methods determine if user accounts on a network are 

vulnerable to intruders. The two programs (sometimes called utilities) are Crack and 

SMBGrind. 

The Crack program attempts to break into a computer by guessing a user’s encrypted 

password. It does this by comparing a list of possible passwords with an actual account 

file for a network, thereby potentially gaining access to a user account. The SMBGrind 

program actually attempts to log on to a computer remotely. It grinds through a list of 

possible passwords and if a match is found it then logs on to the computer. 

The Crack and SMBGrind programs are available from the Tools menu. To open 

Crack, select Tools>Crack... To open SMBGrind, select Tools>SMBGrind... 

Password grinding methods similar to the method used by SMBGrind are also used by 

module class 9000 (Password Guessing/Grinding), which you can select for a scan 

along with other module classes as described in Chapter 3. 

This chapter will tell you about the above password guessing functions of CyberCop 

Scanner. It also includes step-by-step instructions for using the Crack and SMBGrind 

programs to determine if user accounts are vulnerable to intruders. 


Using Brute Force Password Guessing Functions 

About Password Guessing Functions 

Brute force password guessing functions attempt to break into computers by trying to 

guess user account passwords. These functions generally run a large list of possible 

passwords against a user account. The password lists are contained in text files. 

Each password in the text file is run against the user account to see if it matches the 

user password. If the user password can be guessed successfully, it means that the 

computer is vulnerable to intruders who might also be able to guess the password and 

log on. 

There may be users on your network who have not selected secure passwords. For 

instance, users may be using a common password such as “guest” or “welcome” or an 

easily guessed name. These user accounts may be vulnerable to intruders. You can 

verify which computers on your network are vulnerable using CyberCop Scanner’s 

password guessing program: Crack and SMBGrind. 

5-2 Chapter 5


Using the Crack Utility 

This section describes the Crack utility and gives step-by-step instructions for running 

Crack to determine if user passwords are vulnerable. 

About the Crack Utility 

The Crack program attempts to determine a user password using two types of files: 

• a dictionary file (also called a passlist file) 

• an account file 

A dictionary file is a text file containing a list of words followed by a carriage return 

that might match a user password. An account file is a text file that lists user names on 

a network along with their actual encrypted passwords (using DES encryption). The 

Crack program works by running the contents of these two files against each other. If 

a word in the dictionary file matches a user’s actual encrypted password, then the 

Crack program is able to unlock the encrypted password string and determine the user 

password. The user password has then been guessed, or “cracked.” 

The dictionary file is a list of words which you can create as a text file or obtain from 

another source. (For instance, it may be possible to download a dictionary file over the 

internet.) CyberCop Scanner includes two files, passlist.txt and NTpasslist.txt, which 

contain several commonly used passwords on UNIX and Windows NT systems. You 

can add your own words to these text files or create your own dictionary file to use with 

the Crack program. 

The account file for a network lists the user names on the network along with their 

encrypted passwords. You may have access to this file as a network administrator. You 

can use the account file with the Crack program to determine if the user passwords are 

vulnerable. 



Running Crack 

5-4 Chapter 5 

To use the Crack program, do the following: 

1. Select the passlist file you want to use with Crack. The passlist file is a dictionary 

of passwords. You can either create a passlist file or get it from another source. 

• Click the Folder icon next to the Passlist File textbox. The Open dialog box 

opens. 

• Select the drive and the directory where the passlist file is stored. Then enter 

the name of the file you want to open in the File Name textbox. 

• Click the Open button to close the dialog box and open the selected file. 

2. Select the operation(s) you want Crack to apply to the passwords in the passlist 

file by enabling the appropriate checkbox(es). The checkboxes along with their 

operation are as follows. 

• Try Reversing Words automatically reverses each word in the passlist file. 

• Try UpperCase and Lower Case runs each word in the passlist file in all 

uppercase and all lowercase letters. 

• Append Numbers appends the numbers 0 through 9 to the end of each word 

in the passlist file. 

• Try Common Letter Substitutions replaces letters of each password in the 

passlist file with common symbols. For instance, if “a” were a letter in a 

password it would be replaced with “@.” 

If you select more than one operation, the program performs the operations 

separately. 

3. Now, select the account file you want to use with Crack. The account file is a list 

of user name and encrypted passwords. The account file can be obtained from a 

scan of the computer or from a UNIX password file. 

• Click the Folder icon next to the Account File textbox. The Open dialog box 

opens. 

• Then, select or enter the name of the file you want to open in the File Name 

textbox. Sometimes CyberCop can obtain an account file from the target of a 

scan. If this is the case, choose this file to use with Crack. 

• Click the Open button to open the selected file. 

A list of user accounts is displayed in the Crack screen. You can choose to run 

Crack against some or all of the accounts in the account file. Crack will try to 

guess the passwords for the accounts you select. 

4. To run Crack against all accounts, enable the Crack All Accounts option button. 

If you want run Crack against only some of the accounts, enable the Crack Only 

Selected Accounts options button. Then, select the desired user accounts by 

enabling the checkboxes next to the user accounts.


5. Click the Crack button to run Crack. 

The Progress screen is displayed when you run Crack. This screen displays the results 

and progress of Crack in real time. 



Crack Screen Controls 

To open the Crack screen, from the Tools menu select Crack. The Crack screen 

controls are described in Table 5-1 below. 

Table 5-1. The Crack screen controls. 

This screen control 

Passlist File 

Try Reversing Words 

Try Upper Case and 

Lower Case 

Append Numbers 

Try Common Letter 

Substitutions 

Account File 

Crack All Accounts 

Crack Only Selected 

Accounts 

Clear Account List 

Crack 

Does this 

Lets you select the .txt file that contains the user 

names and encrypted. 

Automatically reverses each word in the passlist file. 

For example, the password “one” would be reversed 

to the password “eno.” Crack would run both 

passwords against user accounts: one and eno. 

Changes the case of the letters of each word in the 

passlist file. The variations checked are all uppercase 

and all lowercase. 

Appends numbers to each word in the passlist file. 

Specifically, the numbers 0 through 9 are added to the 

end of each password. 

Replaces letters of each password in the passlist file 

with common symbols. For example, if “a” were a 

letter in a password it would be replaced with “@.” 

Or, “E” would be replaced with “3.” 

The file that contains the user accounts and the 

encrypted passwords you want Crack to use. 

Selects all user accounts in the user account file to be 

cracked. 

Runs Crack against selected users in the account file. 

Deselects the selected user accounts in the account 

file. 

Starts Crack. Click the Progress tab of the Crack 

screen to display the results. 

5-6 Chapter 5


Using the SMBGrind Utility 

About SMBGrind 

This section describes the SMBGrind utility and gives step-by-step instructions for 

running SMBGrind to attempt to determine a user password by logging on to a 

computer remotely. 

The SMBGrind program attempts to determine a user password by actually trying to 

log on to a computer remotely using SAMBA (the SMB protocol). To do this, the 

SMBGrind program uses two types of files: 

• a dictionary file (also called a passlist file) 

• a userlist file 

A dictionary file is a text file containing a list of words that might match a user 

password, as described in the previous section. A userlist file is a text file containing a 

list of common user names or a list of actual user names specific to a machine. 

CyberCop Scanner includes two files, userlist.txt and NTuserlist.txt, that contain 

common user names (such as “root” or “admin”) used on UNIX and Windows NT 

systems. If you are a network administrator, you may have access to the user list for 

your network, or you may be able to generate a list of user names to add to a text file. 

The SMBGrind program works by first running the contents of the userlist file against 

a target machine until it finds a match. If it finds a match, it then runs the contents of 

the dictionary file against the machine until it is able to log on. If the SMBGrind 

program is able to log on successfully, it has discovered the password. Then it logs off. 



Running SMBGrind 

To use SMBGrind, do the following: 

1. To open SMBGrind, select SMBGrind from the Tools menu. 

2. Enter the IP address of the destination host in the Hostname textbox. You may 

only run SMBGrind against one host at a time. 

3. In the NetBIOS Name textbox, enter the destination host name. Entering a name 

in this textbox is optional. 

4. Select the number of parallel grinders you want SMBGrind to spawn. The number 

of parallel grinders is the number of simultaneous attempted logons. You can 

select a value from 1 to 40 using the Parallel Grinders slider bar. 

5. Choose the userlist file you want to use with SMBGrind. The userlist file contains 

user names. You can create a userlist file, or you can get it from another source. 

• Click the Folder icon next to the Userlist File textbox. The Open dialog box 

opens. 

• Select the drive and the directory where the file is stored. Then, enter or select 



6. Next, choose the passlist file you want to use with SMBGrind. The passlist file is 

a dictionary of passwords. You can either create a passlist file or get it from 

another source. 

• Click the Folder icon next to the Passlist File textbox. The Open dialog box 

opens. 

• Select the drive and the directory where the file is stored. Then, enter or select 



7. Click the Grind button to run the SMBGrind program. You can cancel the 

program at any time by clicking the Cancel button. 

The SMBGrind results are displayed in the screen in real time. 

5-8 Chapter 5

SMBGrind Screen Controls 


To open SMBGrind, select SMBGrind from the Tools menu. The SMBGrind screen 

controls are described below in Table 5-2. 

Table 5-2. The SMBGrind screen controls. 

This screen control 

IP Address 

NetBIOS Name 

Parallel Grinders 

Userlist File 

Passlist File 

Grind 

Cancel 

Does this 

Lets you enter the IP address of the system you want 

to run SMBGrind against. You may only run 

SMBGrind against one host at a time. 

Lets you enter the NetBIOS of the system you want to 

runSMBGrindagainst. 

Allows you to choose the number of spawned grind 

processes. The range of values is from 1 to 40. 

Lets you select the file that contains the user account 

list SMBGrind will use. 

Lets you select the file that contains the password list 

SMBGrind will use. 

Starts SMBGrind against the target destination 

Cancels SMBGrind 




In this chapter, you learned how to use the Crack and SMBGrind programs of 

CyberCop Scanner. The programs will help you determine which systems on your 

network are vulnerable to intruders. 

The next chapter, Chapter 6, teaches you how to use the IDS (intrusion detection 

software) tool of CyberCop Scanner. You can use the IDS tool to test the effectiveness 

of your intrusion detection software. 

5-10 Chapter 5

6Running IDS (Intrusion 

Detection Software) Tests 

Introduction 

6 

Intrusion detection software detects misuse incidents on a system. If you have a 

host-based intrusion detection application, you can use CyberCop Scanner’s IDS 

testing tool to test the response of your IDS software to misuse incidents. This chapter 

includes a description of the IDS testing tool. It also includes a procedure for running 

IDS tests. 


Running IDS (Intrusion Detection Software) Tests 

About IDS Tests 

Host-based intrusion detection software monitors a system for misuse incidents. 

Examples of misuse incidents are illegal logons, password rattling, illegal file access, 

and software attacks. The IDS testing tool allows you to test your intrusion detection 

software, to make sure that it is set up properly. 

The IDS testing tool includes IDS modules, which are examples of misuse incidents. 

You can select which IDS modules to run against your intrusion detection software. 

The IDS generate packets to attack a target machine. For example, some IDS modules 

split the packets and send the fragments to the target machine in different ways. The 

IDS IP Fragmentation Test (8-Byte Tiny Frags) test, for instance, allows you to test 

whether your intrusion detection software correctly reassembles IP packets from 

fragmented IP packets to recognize the intrusion. 

The IDS module you select generates a packet which is sent to a target machine in a 

camouflaged form. The camouflaged packet is a scrambled version of the nominal 

form of the packet, thereby making it difficult for the intrusion detection software to 

detect. If your intrusion detection software is set up properly, it should be able to detect 

the camouflaged packets generated by an IDS module. 

6-2 Chapter 6

Performing IDS Tests 

To perform IDS tests, do the following: 


1. Select Tools>IDS Testing... The IDS Testing screen will open. 

2. Enter the IP address of the source host in the Source IP Address textbox. You can 

select an arbitrary IP address for a system on the network. 

3. In the Destination IP Address textbox, enter the IP Address of the destination host. 

4. The destination TCP port is displayed in the Destination TCP Port textbox. The 

default port is 80. Change the port only if you want to send the IDS script to a port 

other than the default port. 

5. From the Module Selection listbox, select the desired IDS script. You can only run 

one IDS script at a time against the intrusion detection software you are running 

the tests against. 

6. Click the Send Script button to run the script. 

7. Monitor the results of the IDS test using the intrusion detection software. It should 

detect the camouflaged form of the selected IDS script sent from the CyberCop 

Scanner IDS tool. 




In this chapter, you learned how to use the IDS testing tool of CyberCop Scanner. You 

now know how to use the IDS testing tool to test the ability of your intrusion detection 

software to detect misuse incidents on a system. 

The next chapter, Chapter 7, gives instructions for running filter checks on firewalls, 

screening routers, and other gateway machines using module class 12000, a class of 

modules written in the custom audit scripting language (CASL). 

6-4 Chapter 6

7Using CASL Modules to Run 

Firewall Filter Checks 

Introduction 

7 

CyberCop Scanner includes a class of modules written in the custom audit scripting 

language that perform firewall filter checks on a network. The modules in this class 

(module class 12000) look for common misconfigurations in firewalls, screening 

routers, and other gateway machines by manipulating and sending IP packets to 

attempt to pass through filters. The firewall filter checks will help you determine 

whether your firewall filter rules are adequate. Any vulnerabilities that are found will 

aid you in correcting your filter rules. 

The CASL modules which perform these checks are available in the Module 

Configuration dialog box of CyberCop Scanner, accessed by selecting the 

Configure>Module Settings... menu item. This chapter includes a description of the 

CASL modules. It also includes a procedure for running CASL firewall filter checks 

on a network. 


Using CASL Modules to Run Firewall Filter Checks 

About CASL Modules 

CyberCop Scanner includes a class of modules written in the CASL language (Custom 

Audit Scripting Language) that perform firewall filter checks on a network. The 

modules in this class (module class 12000) look for common misconfigurations in 

firewalls, screening routers, and other gateway machines by manipulating and sending 

IP packets to attempt to pass through filters. If these checks find any vulnerabilities in 

your firewall filters, you should reconfigure your filters. 

The CASL modules which perform these checks are available by selecting the 

Configure>Module Settings... menu item to open the Module Configuration dialog 

box. In the Module Configuration dialog box, for the Scan Type, click the CASL 

Modules radio button. 

Some CASL modules check how a firewall handles fragmented or malformed packets, 

which can be used to trick a firewall into letting them through. For example, 

misconfigured firewall filters may allow IP fragments through, where they can be 

reassembled into packets that the firewall would not normally allow to pass. 

The CASL modules are run separately from other module classes. In the Module 

Configuration dialog box, you specify which CASL modules you want to run. Then on 

the Scan Settings tab, you specify a target host on a target network which is behind the 

firewall against which you wish to run the firewall filter checks. During the scan, the 

Scan Progress tab displays scan progress, just as for scans using other module classes. 

The CASL modules only send packets to the target host on the target network. They 

do not return any information about whether IP packets were allowed through the 

firewall filter. To monitor the results of a CASL firewall filter check, you need to run 

CyberCop Sentry (sentry.exe) on a host behind the firewall you are checking. The host 

may be the same as the target host specified on the Scan Settings tab, or it may be a 

different host. To install CyberCop Sentry, it is necessary to install CyberCop Scanner 

on the target host. 

When CyberCop Sentry is running on the other side of the firewall, it automatically 

listens for packets that have passed through the firewall filter. It then reports how many 

CASL packets were able to pass through. You can save these results in a local event 

database on the target host where CyberCop Sentry is running. 

7-2 Chapter 7


Setting Up to Run Firewall Filter Checks 

To set up to run firewall filter checks, you use three computers: (1) You run CyberCop 

Sentry on a host behind the firewall you wish to check. (2) Then you run CASL 

modules from CyberCop Scanner on the local host. (3) You run the CASL modules 

against a single target host which is also behind the firewall you wish to check. The 

target host may be the same as the host running CyberCop Sentry if you choose. 

The target host and the host running CyberCop Sentry must be on the same network. 

Both must be on the opposite side of the firewall from the local host where CyberCop 

Scanner is running. CyberCop Scanner will attempt to send CASL packets to the target 

host. CyberCop Sentry will detect CASL packets which pass through the firewall. 

CyberCop Sentry can be located anywhere on the network on the opposite side of the 

firewall where it will be able to see the IP packets if they pass through the firewall 

filter. It will continuously count packets transmitted on the network and report the 

following status information: 

• total CyberCop Scanner packets read 

• packets per second read 

• total of all packets read 

You will have the option to store results in a local event database on the host where 

CyberCop Sentry is running. 

To set up and run CyberCop Sentry, follow these steps: 

1. Install CyberCop Scanner (which includes CyberCop Sentry) on a host behind the 

firewall you wish to check. The host must be on the opposite side of the firewall 

from the local host which will be running CyberCop Scanner and sending the 

CASL packets. 

NOTE: You must install CyberCop Scanner on the host in order to install 

CyberCop Sentry. CyberCop Sentry requires additional drivers present in the 

CyberCop Scanner distribution, as well as the ability to store results to a local 

event database, in order to operate. 

2. Start CyberCop Sentry on the host where you installed it in one of the following 

ways: 

• from the Start menu (Start>Programs>Network Associates>CyberCop 

Scanner>CyberCop Sentry) 

• by starting CyberCop Scanner and selecting the Tools>CyberCop Sentry... 

menu item 

The CyberCop Sentry screen will open. 



3. On the CyberCop Sentry screen, start the CyberCop Sentry engine by selecting the 

Engine>Start menu item. Alternatively, click the Start toolbar icon. 

The CyberCop Sentry screen will display a message "Sentry engine running" 

along with a list of any detected CASL packets. A running count of the total 

number of network packets, CyberCop Scanner packets, and packets per second 

detected by CyberCop Sentry will also be displayed. 

NOTE: No CyberCop Scanner packets will be detected until you start running 

CASL modules from the local host on the other side of the firewall. 

4. Next you run CASL modules from the local host on the other side of the firewall. 

To learn how to run the CASL modules from the local host on the other side of the 

firewall, see the next section, “Running Firewall Filter Checks.” 

5. When the scan is complete, you stop the CyberCop Sentry engine by selecting the 

Engine>Stop menu item. Alternatively, click the Stop toolbar icon. 

6. A message box will open prompting you to store the results displayed on the 

screen. Click Yes to store the results. Alternatively, select the File>Store Results 

menu item. 

By default, results will be saved in a local event database (events.mdb) located at 

c:\Program Files\Network Associates\SMI Products\SMI\Shared\EventDB on the 

host where CyberCop Sentry is running. 

7. Finally, you can clear the CyberCop Sentry display by selecting the File>Clear 

menu item. You can also close CyberCop Sentry by selecting File>Exit. 

7-4 Chapter 7

Running Firewall Filter Checks 


To run CASL modules to perform firewall filter checks, follow these steps: 

1. First you must run CyberCop Sentry on a host behind the firewall whose filter you 

wish to check. To set up CyberCop Sentry on a host, see the previous section, 

“Setting Up to Run Firewall Filter Checks.” 

2. On the local host which will be running CyberCop Scanner and sending the CASL 

packets, start CyberCop Scanner and select the Configure>Module Settings... 

menu item. The Module Configuration dialog box will open, allowing you to 

select CASL modules for a scan. 

3. In the Module Configuration dialog box, for the Scan Type, click the CASL 

Modules radio button. The Module Groups listbox will display module class 

12000 (Packet Filter Verification Checks). 

Enable the checkbox for module class 12000. Then in the Module Selection 

listbox, select the CASL modules you wish to run. You may select multiple CASL 

modules to run at a time. Each CASL module will attempt in various ways to send 

IP packets through the firewall filter to the target host. 

Click OK to close the dialog box. 

4. Next select the Configure>Scan Settings... menu item. The CyberCop Scanner 

Setup dialog box will open. 

5. On the Scan Settings tab, click the Host Range radio button. Then enter the IP 

address of a target host on the opposite side of the firewall you wish to check. The 

target host and the host running CyberCop Sentry must be on the same network, 

and they must both be on the opposite side of the firewall from the local host 

running CyberCop Scanner. The target host may be the host running CyberCop 

Sentry if you wish. 

Click OK to close the dialog box. 

6. When you have selected the CASL modules you wish to run and specified the 

target host as described in Step 5 above, start a scan by selecting the Scan>Begin 

Scan menu item. 

The Scan Progress tab will display scan progress. The message line "Scan 

completed" will be displayed when the scan is complete. 

7. When the scan is complete (when the CASL modules have stopped transmitting 

packets), stop the CyberCop Sentry engine on the host where it is running by 

selecting the Engine>Stop menu item in CyberCop Sentry. 



A message box will open on the CyberCop Sentry host prompting you to store the 

results displayed on the screen. Click Yes to store the results. Alternatively, select 

the File>Store Results menu item. By default, results will be saved in a local event 

database (events.mdb) located at c:\Program Files\Network Associates\SMI 

Products\SMI\Shared\EventDB on the host where CyberCop Sentry is running. 

You can use the SMI report viewer to view the CyberCop Sentry results and generate 

a report on the host where CyberCop Sentry is running. 

7-6 Chapter 7



In this chapter you learned how to use the CASL modules to run predefined firewall 

filter checks on a network. You also learned how to monitor results using the Sentry 

daemon of CyberCop Scanner. 

The CASL modules used in the firewall filter checks are written in CASL (custom 

audit scripting language). CASL is a high-level programming language that allows you 

to write scripts that simulate attacks or perform information gathering checks. 

If you want to learn how you can customize packets to perform your own security 

audits, you can go on to Part II, Chapter 1, of this manual, “Using NTCASL to 

Generate Custom Audit Packets.” The NTCASL utility of CyberCop Scanner allows 

you to generate custom audit packets that use CASL (custom audit scripting language). 

You can then send your custom packets to a destination host to check for security holes 

in a network. In the NTCASL utility, you construct packets using tools provided in the 

NTCASL user interface. It is not necessary to know the custom audit scripting 

language to use the NTCASL user interface. 

If you wish to learn more about the custom audit scripting language to write your own 

scripts using a text editor, you can go on to Part III, Appendix A, “A Guide to CASL 

(Custom Audit Scripting Language).” Appendix A provides a detailed explanation of 

the custom audit scripting language. It includes a description of CASL program 

structure and syntax, as well as a programming reference guide. In order to use the 

custom audit scripting language, you need to have experience programming in a 

high-level language. 

In the next chapter, “AutoUpdate: Updating CyberCop Scanner Files,” you will learn 

about the AutoUpdate feature. The AutoUpdate feature allows you to download 

updates to the CyberCop Scanner software from NAI’s FTP site, or from another FTP 

site. 



7-8 Chapter 7

8AutoUpdate: Updating 

CyberCop Scanner Files 

Introduction 

8 

The AutoUpdate feature lets NAI provide you with periodic updates to the CyberCop 

Scanner software. Specifically, the AutoUpdate feature is a program that allows you 

to download NAI’s update packs for CyberCop Scanner from NAI’s FTP site (or 

another FTP site) to your system. You can schedule updates on a monthly or weekly 

basis, or you can perform an update now. 

The update packs are compressed files which add updated features, for instance new 

modules for the Vulnerability Database, to your current version of CyberCop Scanner. 

When you download the update packs from NAI’s FTP site (or another FTP site), you 

have the option to apply the update now as a patch to the CyberCop Scanner program 

files, or to wait until later. Before applying the update as a patch, the AutoUpdate 

program checks to make sure that the program files you have downloaded are newer 

than your existing CyberCop Scanner program files. If they are newer, the AutoUpdate 

program will then apply them as a patch to your CyberCop Scanner software. 


AutoUpdate: Updating CyberCop Scanner Files 

About the AutoUpdate Feature 

The AutoUpdate feature lets NAI provide you with periodic updates to the CyberCop 

Scanner software. Specifically, the AutoUpdate feature is a program that allows you 

to download NAI’s update packs for CyberCop Scanner from NAI’s FTP site (or 

another FTP site) to your system. You can schedule updates on a monthly or weekly 

basis, or you can perform an update now. 

The update packs are compressed files which add updated features, for instance new 

modules for the Vulnerability Database, to your current version of CyberCop Scanner. 

When you download the update packs from NAI’s FTP site (or another FTP site), you 

have the option to apply the update now as a patch to the CyberCop Scanner program 

files, or wait until later. Before applying the update as a patch, the Update program 

checks to make sure that the program files you have downloaded are newer than your 

existing CyberCop Scanner program files. If they are newer, the AutoUpdate program 

will then apply them as a patch to your CyberCop Scanner software. 

8-2 Chapter 8

Updating CyberCop Scanner 


You can update CyberCop Scanner by downloading an update pack and applying it 

now. You can also schedule periodic updates on a weekly or monthly basis. The first 

section below explains how to update CyberCop Scanner now. The section which 

follows it explains how to schedule future updates. 

Updating CyberCop Scanner Now Using AutoUpdate 

To update CyberCop Scanner now, do the following: 

1. Select Tools>AutoUpdate. The AutoUpdate program will start. 

2. Enable the Perform Update Now option button. Enabling this option button 

instructs the program to download an update pack now. Click the Next button to 

continue. 

3. Now, select FTP transfer method used by your network: 

• FTP 

• FTP Through Socks Proxy 

• FTP Through Web Proxy 

NOTE: You may already have a previously downloaded update pack. If you 

want to apply the update as a patch to your CyberCop Scanner software now, 

enable the Skip This, I Already Have an Update Patch checkbox. 

4. The next step is to enter information for the FTP transfer method you selected 

above. Follow the set of instructions below that correspond to your FTP transfer 

method. 

For FTP, enter the following information: 

• Directory to Save: Enter the drive and the directory where you want to store 

downloaded update packs. 

• Host Name or IP Address: Enter the host name or the IP address of the 

server where update packs will be downloaded from. 

• Path on Remote Host: Enter the drive and the directory on the remote host 

where the update packs are located. 

• User Name: Enter the user name of the remote host. If you are downloading 

update packs from an anonymous FTP site, do not enter a user name in this 

textbox. 

• Password: Enter the password for the remote host. If you are downloading 

update packs from an anonymous FTP site, do not enter a password in this 

textbox. 



• Click the Next button to continue. 

For FTP Through Socks Proxy, enter the following information: 






where update packs are located. 


the update packs from an anonymous FTP site, do not enter a user name in 

this textbox. 

• Password: Enter your password on the remote host. If you are downloading 

the update packs from an anonymous FTP site, do not enter a password in this 

textbox. 

• Proxy Host: Enter the system name where the socks proxy is installed. 

• Socks Proxy Port: Enter the port the socks proxy communicates to. The 

default port is 1080. 


For FTP Through Web Proxy, enter the following information: 









textbox. 



textbox. 


For Skip This, do the following information: 

• Click the Folder icon. 

• Select the drive and the directory where the update pack is stored. 

8-4 Chapter 8


5. The AutoUpdate program will download the update pack from the selected FTP 

site and save it to the specified drive and directory. 

6. When the program finishes downloading the update pack, it asks you to confirm 

the update pack along with its signatures. Click the OK button. 

7. Click the Exit button to close the program. Your CyberCop Scanner software is 

now updated. 



Updating CyberCop Scanner Periodically Using 

AutoUpdate 

You must have Windows NT Scheduler enabled to schedule periodic updates to 


To schedule periodic updates to CyberCop Scanner, do the following: 

1. Select Tools>AutoUpdate. The AutoUpdate program will start. 

2. Enable the Schedule Update option button to set up an update for later. Click the 

Next button to continue. 

3. Now, select FTP transfer method used by your network: 

• FTP 

• FTP Through Socks Proxy 

• FTP Through Web Proxy 

4. Next, you have the option to automatically apply the update as a patch to your 

current version of CyberCop Scanner. If you wish to apply the update as a patch 

immediately after the update pack is downloaded, click the option button next to 

Actually Perform Update Once Files Have Been Retrieved. 

If you choose not to enable this button, then the update pack will be downloaded 

but the patch will not be applied to your CyberCop Scanner software. You can 

choose to apply the update as a patch later. 

After you have chosen whether to perform the update immediately or save the 

update pack for later, click Next to continue. 

5. The next step is to enter information for your FTP transfer method. Follow the set 

of instructions below that correspond to your FTP transfer method. 

NOTE: If you schedule a future update in the AutoUpdate program using a 

passworded FTP account, the FTP password will be displayed in the Windows 

NT Scheduler. 

For FTP, enter the following information: 






where the update packs are located. 

8-6 Chapter 8




textbox. 



textbox. 


For FTP Through Socks Proxy, enter the following information: 








the update packs from an anonymous FTP site, do not enter a user name in 

this textbox. 

• Password: Enter your password on the remote host. If you are downloading 

the update packs from an anonymous FTP site, do not enter a password in this 

textbox. 


• Socks Proxy Port: Enter the port the socks proxy communicates to. The 

default port is 1080. 


For FTP Through Web Proxy, enter the following information: 









textbox. 



textbox. 





6. Next, select how often you wish to download the update packs. You can choose 

to download update packs on a monthly or weekly basis, and you can choose the 

day and time that updates are performed. 

• For monthly updates, click Reoccurring – Monthly on Day. 

• For weekly updates, click Reoccurring – Weekly on Day 

Then click Next to continue. 

7. Now specify which day and time to perform updates. 

• For monthly updates, select the day of the month you wish updates to occur. 

Then enter the time of day you wish the update to occur. (A 24-hour clock is 

used.) 

• For weekly updates, select the day of the week you wish updates to occur. 

Then enter the time of day you wish the updates to occur. (A 24-hour clock is 

used.) 

Then click Next to continue. A list of the currently scheduled update jobs will be 

displayed. 

8. If you wish to delete a currently scheduled update job from the list, or add another 

scheduled update, you have the following options: 

• To delete a scheduled update from the list, select a scheduled update to 

highlight it, and then click the Delete Job button. The selected scheduled 

update will be removed from the list. 

• To add another scheduled update, click the Back button until you return to the 

What Kind of Job Do You Wish to Schedule window. From this window, you 

can add another scheduled update as described above. 

9. When you have scheduled periodic updates as desired, click Next to continue. 

You can either exit the Update program now, or return to the beginning. To exit, 

click Finish. 

NOTE: It is recommended that you close all open CyberCop Scanner dialog 

boxes and windows, including the main window, before a scheduled update 

takes place. 

8-8 Chapter 8

Deleting Scheduled Updates 

You can delete previously scheduled updates. 

To delete scheduled updates, do the following: 

1. Select Tools>AutoUpdate. 


2. Click the Delete Scheduled Tasks button. Then click Next to continue. 

3. A list of the scheduled updates will be displayed. To delete a scheduled update, 

click it to highlight it. Then click the Delete Job button. The selected scheduled 

update will be removed from the list. 

4. To go back to the start of the program, click the Back button. 




In this chapter, you learned how to use the AutoUpdate feature of CyberCop Scanner. 

The AutoUpdate feature allows you to automatically download update packs from 

NAI’s FTP site (or another FTP site). You now know how to select whether you want 

to perform updates now, or schedule periodic (monthly or weekly) updates. 

Part II of this manual, “Advanced Features,” explains advanced functions of CyberCop 

Scanner, including the CyberCop Scanner NTCASL user interface that allows you to 

generate custom packets that use the custom audit scripting language. You can then 

send your custom packets to a destination host to check for security holes in a network. 

You construct packets using tools provided in the NTCASL user interface. It is not 

necessary to know the custom audit scripting language to use the NTCASL user 

interface. Part II also includes a brief introduction to the Vulnerability Database 

Editor. 

8-10 Chapter 8

Part Two: Advanced Features 

1

1Using NTCASL to Generate 

Custom Audit Packets 

Introduction 

1 

CASL (custom audit scripting language) is a high-level programming language 

designed to write programs (often called scripts) that simulate low-level attacks or 

information gathering checks on networks. To write programs that simulate an attack 

or information gathering check, you need to write code that constructs packets and then 

sends those packets to a host on a network just as an actual attack or information 

gathering check would. You can execute the programs you create in CASL to 

determine if a network is vulnerable to the attack or the information gathering check 

simulated by the programs. 

You can use the NTCASL screen to create and send custom IP packets. In this chapter, 

you will create and send an example packet, specifically a ping packet. Then, you will 

learn more about the NTCASL screen controls. 


Using NTCASL to Generate Custom Audit Packets 

About CASL (Custom Audit Scripting Language) 

CASL is a high-level programming language designed to write programs (often called 

scripts) that simulate low-level attacks or information gathering checks on networks. 





the information gathering check simulated by the programs. You can use the CASL 

screen to create and send custom IP packets. 

1-2 Chapter 1

Creating an Example Packet 


This section includes step-by-step instructions for creating and sending an example 

packet--a ping packet. 

To create a ping packet, follow these steps: 

1. Open CASL from Tools>CASL. 

2. From New select Packet to create an empty packet. A ping packet consists of an 

IP header, an ICMP fixed header, and a data component. In the steps below you 

add these items to the packet. 

3. Create an IP header for the packet. 

• Select the packet. 

• Then, from the listbox select IP Header and then click the Add button. The IP 

Header and its elements appear on the screen under the packet. 

4. Enter values for parameters for IP header elements, including Value Type, Value, 

and Bit Width. Other parameters are automatically selected (or, are not required 

by CASL). 

• Select the Version element under the IP header. Set element parameters as 

follows. 

Value Type: Integer 

Value: 4 

Bit Width: 4 

• Select the Transport Protocol element under the IP header. Set element 

parameters as follows. 

Value Type: Protocols 

Value: IPPROTO_ICMP 

Bit Width: 8 

• Select the Source Address element under the IP header. Set element 


Value Type: IP Address 

Value: Enter the IP address you want the packet to appear to be from. 

Bit Width: 32 

• Select the Destination Address element under the IP header. Set element 


Value Type: IP Address 

Value: Enter the IP address of the packet destination. 

Bit Width: 32 



5. Create an ICMP fixed header for the packet. 

• Select Packet. 

• Then, from the listbox select ICMP Fixed Header and click the Add button. 

The ICMP fixed header and its elements appear on the screen under the 

packet. 

6. Set parameters for the ICMP fixed header as follows. 

• Select the Message Type element under the IP header. Set element parameters 

as follows. 

Value Type: Integer 

Value: 8. (A value of 8 specifies an ICMP echo request, which you set up in 

the steps below.) 

Bit Width: 8 

7. An ICMP echo request requires that you create a component with two elements 

under the ICMP fixed header. 

• To create a component, from New select Component. Now, rename 

GenericComponent to ICMP Echo Request. 

• Create two elements by selecting Element from the New menu twice. There 

should be two elements: GenericElement1 and GenericElement2. Rename 

GenericElement1 to Echo_ID. Then rename GenericElement2 to Sequence 

Number. 

• Set parameters for Echo_ID. Select Echo_ID. Then, set Value Type to 

Integer, Value to 0, and Bit Width to 16. 

• Set parameters for Sequence Number. Select Sequence Number. Then, set 

Value Type to Integer, Value to 0, and Bit Width to 16. 

8. Add data to the packet as follows. 

• Select the packet. 

• Then, from the listbox choose Data and click the Next button. A Data 

component appears as a packet component. 

• Select Data. The Edit Data button appears on the screen. 

• Click the Edit Data Button. When you click the button, the program asks if 

you want to edit data. Click the Yes button to continue. The Edit Data dialog 

box opens. 

• Select 20 bytes in the Data Length listbox using the scrollbox arrows. 

• There are two option buttons in the dialog box—Text mode and Hex mode. 

Text mode lets you add text to data. Hex mode displays the text in 

hexadecimal format. You can edit hexadecimal values. 

For now, select the Text mode option button. 

1-4 Chapter 1


• Then, enter Echo Request Data... in the screen. Click the OK button to 

continue. 

9. Save the packet. From the File menu select Save Script. The Save As dialog box 

opens. Select the drive and the directory where you want the script file to be 

stored. Then, in the File Name textbox enter a name for the script. Click the Save 

button. 

10. Click the Play icon to send the packet. If the packet reaches the host, the host sends 

an ICMP echo reply to the source IP address of the packet. 



CASL Screen Controls 

The CASL Screen 

This section gives more details about the CASL screen controls which you can use to 

generate custom audit packets. 

The CASL screen includes menus, a toolbar, and a listbox, which are used to create 

(and send) packets. A packet generally consists of the following items: 

• components with elements 

• component groups 

• data components 

When you create a packet, items that make up the packet are shown on the left side of 

the screen. If you select an item, information about the item is displayed on the right 

side of the screen. You save packets as script files using the file extension .script. 

1-6 Chapter 1

CASL Menus 


CASL menus contain menu items for creating packets. Menus include File, New, and 

Help, as described in Table 1-1 below. 

Table 1-1. The CASL menus. 

Menu This menu item Does this 

File Open Script Opens the Open dialog box, which allows 

you to open previously saved script files 

(i.e. packets). Alternatively, you can click 

the Folder button on the toolbar to open the 

Open dialog box. 

Save Script 

Save Script As 

Exit 

Saves any changes to the specified script 

file. Alternatively, click the Diskette icon on 

the toolbar to save changes to the script file. 

Opens the Save As dialog box, which allows 

you to save packet changes to a new script 

file. 

Closes the CASL screen. 

New Packet Creates an empty packet. The empty packet 

is called GenericPacket by default. Group 

components, data components, and 

components with elements can be added to 

the packet. The packet can also be renamed. 

Group 

Component 

Creates an empty group. The empty group is 

called GenericGroup by default. A number is 

appended to the end of the GenericGroup 

name when more than one group is created. 

The group can be renamed. A group is used 

to group related components. 

Creates an empty component. The empty 

component is called GenericComponent by 

default. The component can be renamed. 

Elements are added under components. 



Element 

Creates an empty element. The empty 

element is called GenericElement by default. 

A number is appended to the end of the 

GenericElement name when more than one 

element is created. The element can be 

renamed. Elements are data values for 

numerical fields inside components. 

Help Help Displays CyberCop Scanner Help. 

About 

Opens the About Scanner dialog box, which 

displays the software version number 

installed on your system. 

1-8 Chapter 1

CASL Toolbar 


Toolbar buttons provide access to the most used screen functions. The toolbar buttons 

are described in Table 1-2 below. 

Table 1-2. The CASL toolbar. 

This button 

Folder 

Diskette 

Play 

Copy 

Delete 

Does this 

Displays the Open dialog box, which allows 

you to open previously saved script files (i.e. 

packets). 

Saves changes to the currently opened script. 

Sends the selected packet to the target 

destination address in the IP header. 

Copies an item used to create a packet. To 

copy an item, select the item in the packet and 

then click the Copy button. 

Deletes an item used to create a packet. To 

delete an item, select the item in the packet 

and then click the Delete button. 



CASL Listbox 

The CASL listbox includes items that can be added to a packet, described in Table 1-3 

below. 

Table 1-3. The CASL listbox. 

This listbox item 

Generic Packet 

Generic Group 

Generic Component 

Generic Element 

Data 

Does this 

Creates an empty packet. (Alternatively, select 

Packet from the New menu.) The empty packet 

is called GenericPacket by default. Group 

components, data components, and components 

with elements can be added to the packet. The 

packet can also be renamed. 

Creates an empty group. (Alternatively, select 

Group from the New menu.) The empty group 

is called GenericGroup by default. A number is 

appended to the end of the GenericGroup name 

when more than one group is created. The 

group can be renamed. A group is used to group 

related components. 

Creates an empty component. (Alternatively, 

select Component from the New menu.) The 

empty component is called GenericComponent 

by default. The component can be renamed. 

Elements are added under components, as 

described below. 

Creates an empty element.(Alternatively, select 

Element from the New menu.) The empty 

element is called GenericElement by default. A 

number is appended to the end of the 

GenericElement name when more than one 

element is created. The element can be 

renamed. Elements are data values for 

numerical fields inside components. 

Creates an empty data component. The empty 

data component is called Data by default. The 

data component can be renamed. Arbitrary 

length binary or text data can be entered in the 

data component. 

1-10 Chapter 1


ICMP Fixed Header 

TCP Header 

UDP Header 

IP Header 

Creates a component with the ICMP header 

structure predefined. 

TCP HeaderCreates a component with the TCP 

header structure predefined. 

Creates a component with the UDP header 

structure predefined. 

IP HeaderCreates a component with the IP 

header structure defined. An IP header must be 

used first in every packet you create. 

You can add any of the items listed in the table to a packet by selecting the item from 

the listbox and then clicking the Add button. 




In this chapter, you learned how to use the screen controls of the NTCASL user 

interface to generate a custom audit packet and send it to a destination host. You can 

generate custom packets to check for security holes on a network. 

CASL uses the custom audit scripting language to generate a CASL packet file. CASL 

allows you to write your own programs to perform security audits such as attacks or 

information gathering checks on a network. 

If you would like to learn more about CASL to write your own programs, you can go 

to Part III, Appendix A, “A Guide to CASL (Custom Audit Scripting Language).” 

Appendix A gives a detailed explanation of CASL, including program structure and 

syntax. It also includes a programming reference guide. You need to have experience 

using a high-level programming language in order to use CASL. 

1-12 Chapter 1

2The Vulnerability Database 

Editor 

Introduction 

2 

The Vulnerability Database Editor allows you to view and edit module records. It also 

allows you to export modules from the Vulnerability Database as *.1 files. A module 

record includes module reference parameters, descriptive options such as flags and 

severity settings, and verbose descriptions. CyberCop Scanner uses module records to 

access modules to run them during a scan, to pass certain parameters to modules, and 

to generate vulnerability descriptions in reports. 

The Vulnerability Database Editor is available by selecting the Configure>Module 

Settings... menu item of CyberCop Scanner to open the Module Configuration dialog 

box. In this dialog box, you right-click on a module name in the Module Selections 

listbox and then select Edit Vulnerability... from the context menu to view the 

module record for the selected module. 

NOTE: The Vulnerability Database Editor is intended for expert use only. Any 

changes made to module records in the Vulnerability Database could seriously 

impair the operation of CyberCop Scanner. 


The Vulnerability Database Editor 

About the Vulnerability Database 

CyberCop Scanner includes over 600 modules, grouped into classes, which perform 

various information gathering checks and attacks against a target host or network. The 

executable files for the module classes, stored in the directory c:\Program 

Files\Network Associates\SMI Products\CyberCop Scanner\modules, are run by 

CyberCop Scanner, which passes required parameters and arguments to them from the 


The Vulnerability Database contains a module record for each module, which 

includes parameters which reference the executable file for the module, descriptive 

options such as flags and severity settings, and verbose descriptions. The module 

records are used by CyberCop Scanner to access modules during a scan and to generate 

reports of vulnerabilities that are found. In addition, the Vulnerability Database stores 

global variables, called module specific options, which are used by specific modules 

as parameters or arguments. Settings for these global variables can be viewed on the 

Module Options tab of CyberCop Scanner, accessible by selecting the 

Configure>Scan Settings... menu item. 

The Vulnerability Database consists of the file CCSVulnDB.mdb, a database file 

which contains the module records and module specific options used by CyberCop 

Scanner. This database file is located at c:\Program Files\Network Associates\SMI 

Products\CyberCop Scanner. 

NOTE: Before making any changes to the Vulnerability Database, including 

changing any module specific options on the Module Options tab of CyberCop 

Scanner and editing any module records using the Vulnerability Database Editor, 

it is strongly recommended that you create a backup copy of the 

CCSVulnDB.mdb database file. Otherwise, the database file will be 

overwritten and you will not be able to undo the changes. 

Making a backup copy of the CCSVulnDB.mdb database file ensures that you 

can retrieve the original module records and module specific options after 

making any changes. 

The Vulnerability Database Editor is built into the CyberCop Scanner user interface. 

The Vulnerability Database Editor allows you to modify information in a module 

record and to export modules as *.1 files with numerical filenames. It also allows you 

to modify module parameters. 

2-2 Chapter 2

About Module Records 


The Vulnerability Database Editor displays controls including listboxes, dropdown 

lists, and text fields, for viewing and modifying the information in a module record. 

Module information is listed below. 

Flags and Severity Settings 

A module record includes Flags and descriptive options such as Impact, Risk Factor, 

Complexity, Root Cause, Fix Ease, and Popularity. 

Flags 

There are several flags including One at a Time, Dangerous, Policy, and Access. These 

are internal flags used by CyberCop Scanner when running modules. Changing Flag 

settings is not recommended. 

One at a Time: One at a Time indicates that the module must be run on its own, so 

that no other modules will interfere with its operation. 

Dangerous: Dangerous indicates that the module has the potential to do damage, by 

performing a denial of service attack. Modules flagged as Dangerous are highlighted 

in red when they are selected in the Modules listbox in the Config>Module Config tab. 

Policy: Policy indicates that a module checks for policy violations, for example, 

exceeding allotted disk space or password age limits. Policy violation checks generally 

apply to Windows NT systems. 

Impact 

Impact indicates the specific threat posed by a vulnerability. A security problem in a 

computer system can pose many different risks. Some problems are more serious than 

others; while all problems should be considered in an audit, it is more important that 

the most serious and far-reaching vulnerabilities be addressed before the minor ones. 

CyberCop Scanner breaks the implications of a vulnerability down into several 

different categories, each of which represents an aspect of a computer system 

threatened by a security vulnerability. 

System Integrity: Some security problems threaten all the operations of a computer 

system, by allowing an attacker to obtain complete control of it's functioning. These 

problems include attacks that grant a remote attacker shell access to the system (or the 

ability to execute arbitrary commands) and the ability to modify arbitrary files on the 

system (and thus reconfigure it). 



Confidentiality: Many computer systems store information that is highly sensitive, 

due to user privacy requirements (such as the secure storage of personal 

communications in electronic mail) or organizational secrecy requirements (such as 

private financial data or proprietary software). Threats to confidentiality allow an 

attacker to gain access to this information illicitly. 

Accountability: Most computer systems have some type of logging capability that at 

least potentially allows the actions of an attacker to be traced back to their source. 

Systems that put a name to the activities of system users are said to provide 

"accountability". Because accountability acts as a deterrent to attacks (which are 

usually illegal), disabling these capabilities is often a priority for attackers. 

Data Integrity: Most users of computer systems assume that the data maintained by 

those systems is accurate and authentic. This can be extremely important for many 

applications, in which incorrect information can be legally, financially, or even 

medically disastrous. Attacks which attempt to illicitly modify information on a 

computer system are said to target the integrity of it's data. 

Authorization: Most users of computer systems have a limited amount of access to 

those systems; they can perform their own work, and work within their groups, but 

cannot directly manage the operation of the entire system. The mechanisms used to 

limit users to appropriate activities track the "authorization" of those activities. 

Availability: "Availability" is the general computer security goal of keeping a 

computer system "available" to it's legitimate users --- up and running smoothly and 

with reasonable, expected performance. Attacks that compromise the availability of a 

system are more widely referred to as "Denial of Service" attacks. 

Intelligence: Attackers often collect information about targeted systems before 

actually attempting to break in; information gathered by an attacker prior to a break-in 

attempt often greatly increases the odds of a successful intrusion, and, more 

importantly, amplifies the rewards made available by an attack. Attacks which involve 

the collection of information from a system prior to actual intrusion are said to impact 

"intelligence". 

Risk Factor 

Risk Factor indicates the severity of the threat posed by a vulnerability. The 

implications (or impact) of a vulnerability determine which aspects of a computer 

system are affected by exploitation of that security problem. To fully assess the 

technical risks posed by a problem, however, it is important to consider how "severe" 

the problem is. A minor problem that affects data integrity may only allow an attacker 

to insert random garbage into a file; a major problem might allow an attacker to control 

completely the contents of the same file. 

2-4 Chapter 2


Low: The scope of the implications of the attack are extremely limited, providing very 

little flexibility to an attacker. Exploitation of this type of problem may not even be 

noticeable to users of the system. It is important to understand, however, that several 

low-severity problems can often be leveraged together to perform a more severe 

attack. 

Medium: The results of the attack are serious, posing a real risk to the system or the 

privacy of its users. While complete access to the system cannot be obtained directly 

from the attack, the access it does provide can be instrumental in completely 

compromising the system. 

High: The attack is extremely powerful, posing a direct threat to the system. 

Exploitation of this problem can immediately meet the objectives of the attacker, and 

pose a serious risk to the vulnerable organization. 

Complexity 

Complexity indicates the difficulty involved in exploiting a vulnerability. Some 

attacks against computer systems are more complicated than others; exploiting a 

vulnerability in a WWW CGI program may involve merely inserting a "magic" 

character in form field, while other attacks may require a carefully coordinated series 

of interactions with obscure network services. Unfortunately, the complexity of an 

attack has more of an effect on the likelihood of it being defended against, rather than 

the likelihood of it being used by an attacker (who is probably wielding an arsenal of 

complex attacks to leverage against a computer system). Ironically, the most complex 

attacks are often the most popular. 

Low: The attack can be executed by an unskilled attacker without any special tools 

(perhaps by using standard Unix utilities, or by using their web browser). The problem 

may be obvious even to someone who is not familiar with the issues involved in 

computer security. 

Medium: A special-purpose software tool is required to exploit this problem; this tool 

is probably quite easy to use and understand by a neophyte hacker, but exploitation of 

this problem may be out of the reach of individuals that are not familiar with the 

security community or the hacker underground. 

High: Exploitation of this problem requires exploit code, which is difficult to write and 

may require access to specific types of computer systems. Actually using this tool may 

require specific knowledge of the vulnerability and the system on which it is present. 



Root Cause 

Root Cause indicates the underlying cause of a vulnerability. Many security problems 

can be avoided, proactively, by maintaining security awareness in the planning and 

design stages of network engineering. Others may be the result of poor operational 

practice (perhaps due to network administration lacking focus on security). Identifying 

the root causes of the vulnerabilities discovered in a network allows patterns of 

vulnerability to be identified. 

Configuration: The vulnerability exists because a component of the system was 

configured insecurely. Available access control mechanisms (such as password 

authentication for routers) have not been enabled, default configuration values remain 

present (default SNMP communities are still in place, for instance), or extensions have 

been made to the system that violate security. 

Implementation: The vulnerability exists due to a software implementation problem, 

because of a bug in a program deployed in the system. Prior to the initial discovery of 

this security problem, there was no way for an organization to be aware of this 

problem, and, unless the vulnerable software is removed or restricted from normal 

users, the only way to fix the problem is to apply vendor patches. 

Design: The vulnerability exists because of an insecure design, that is, the service 

implemented by the problematic software is fundamentally insecure, the design of the 

software neglects security concerns, or the protocol implemented by the software is 

inadequate. Similar software solutions for this service may have equivalent 

vulnerabilities, and there may not be any obvious way to defend against the threat 

without disabling the service provided by the vulnerable software. 

Fix Ease 

Fix ease indicates the simplicity of fixing a vulnerability, or the ease of resolution. 

When faced with a large number of serious vulnerabilities, it is important that security 

problems be solved as efficiently as possible. Because some problems are easier to 

solve than others, quickly addressing the easy problems first may rapidly increase the 

security of a vulnerable system. Additionally, fixing some problems poses risks of 

disrupting services, and resolution for those problems may thus require careful 

scheduling. 

Trivial: The problem can be resolved quickly and without risk of disruption by 

reconfiguration of vulnerable software. 

Simple: The problem might be solved by significant reconfiguration of the vulnerable 

system, or by a vendor patch. Minimal risk of disruption to services is present, but 

conscientious immediate effort to resolve the problem is reasonable. 

2-6 Chapter 2


Moderate: The problem requires a vendor patch to solve and presents a significant 

risk of service disruption. It is possible that resolution of this problem may require an 

upgrade to a substantially different version of software, or that the reconfiguration 

required to solve the problem has far-reaching impact on legitimate users. 

Difficult: The problem requires either an obscure, hard-to-find vendor patch to 

resolve, or requires manual source code editing to fix. Great risk of service disruption 

makes it impractical to solve this problem for mission critical systems without careful 

scheduling. 

Infeasible: This problem is due to a design-level flaw, and cannot be resolved by 

patching or reconfiguring vulnerable software. It is possible that the only way to 

address this problem is to cease using the vulnerable software or protocol, or to isolate 

it from the rest of the network and eliminate reliance on it completely. 

Popularity 

Popularity indicates the likelihood that a vulnerability will be exploited. It is important 

to understand that all attackers are not equally capable. The presence of obscure, 

complicated vulnerabilities may not be a strong indicator that a system has already 

been compromised; however, the presence of well known, widely exploited problems 

may be an immediate cause for alarm. 

Obscure: The attack is not widely known, or, more importantly, the information 

needed to exploit the problem is not widely available. The problem may affect a 

service that is not well understood, or may require knowledge not often maintained by 

casual attackers (such as the advanced mathematics needed to invent a cryptographic 

attack). 

Widespread: The attack has been published and is widely known to attackers. 

However, the relative rarity of vulnerable systems or the difficulty involved in 

exploiting the problem prevents it from representing a likely first avenue of attack on 

asystem. 

Popular: The attack has been published, often in computer underground publications 

or on widely-read "hacker" newsgroups, and is used often by neophyte attackers and 

by automated attacker tools. It is not unlikely that the system's vulnerability has been 

discovered by an attacker casually scanning large numbers of arbitrary addresses for 

vulnerable hosts. 



Module Descriptions 

Module descriptions include basic text information about the selected module. 

Short Description 

Module Parameters 

Short Description specifies the name of the module that will be displayed in the 

Module Configuration dialog box and also in any reports that are generated. 

Verbose Descriptions 

Verbose text descriptions can be entered for the categories Security Concerns, 

Suggestion, Reproduce, Tech Paper and References (for other sources of information), 

and Manager Description (high level description). 

Not all description categories are used by all modules. You can add text to the 

descriptions that apply to your network. However, it is not recommended that you 

change or delete existing text. 

The module parameter text fields include the top and bottom rows of the Edit 

Vulnerability dialog box of the Vulnerability Database Editor. These text fields allow 

editing of parameters or arguments in existing modules. As examples, some of these 

module parameters are described below. 

NOTE: Changing module parameters is not recommended. Any changes made 

to module parameters in the Vulnerability Database could seriously impair the 

operation of CyberCop Scanner. 

VulnID 

VulnID specifies the module number that will be listed in the Module Configuration 

dialog box and also in any reports that are generated. The Vulnerability ID matches the 

ID number in the module class executable file. Do not change the Vulnerability ID. 

Otherwise CyberCop Scanner will not be able to access the module to run it. 

Timeout 

Timeout sets a timeout value (in seconds) for the module that overrides the default 

value specified on the Scan Options tab (accessible by selecting the Configure>Scan 

Settings... menu item). If a value of 0 is specified in the Vulnerability Database, then 

the default value on the Scan Options tab is used. If a value of –1 is specified, then the 

module has no timeout and will continue running until it is finished. 

2-8 Chapter 2


Editing Module Records 

You edit module records using the Vulnerability Database Editor. Controls in the Edit 

Vulnerability Database Editor allow you to do the following: 

• You can edit information in a module record. 

• You can save changes made to a module record in the Vulnerability Database. 

• You can cancel changes made in the Edit Vulnerability dialog box to close the 

Vulnerability Database Editor without saving changes. 

To open the Vulnerability Database Editor, do the following: 



2. In the Module Configuration dialog box, in the Module Selection listbox, 

right-click on a module nam or module number to open a context menu. 

3. From the context menu, select Edit Vulnerability... The Edit Vulnerability dialog 

box will open, allowing you to view and edit the module record for the selected 

module. 

NOTE: The Vulnerability Database Editor is intended for expert use only. You 

should be aware that changes made to module records in the Vulnerability 

Database could seriously impair the operation of CyberCop Scanner. It is 

strongly recommended that you do not make changes to module records in the 


To edit a module record, do the following: 

NOTE: Before making any changes to the Vulnerability Database, including 

changing any module specific options on the Module Options tab of CyberCop 

Scanner and editing any module records using the Vulnerability Database Editor, 

it is strongly recommended that you create a backup copy of the 

CCSVulnDB.mdb database file. Otherwise, the database file will be 

overwritten and you will not be able to undo the changes. 

Making a backup copy of the CCSVulnDB.mdb database file ensures that you 

can retrieve the original module records and module specific options after 

making any changes. 

1. You can edit information in the module record as follows: 

• Set descriptive options in the verbose text fields. 

• Set flags and severity settings. 

The above information options are described in more detail earlier in this chapter. 



To save changes made to a module record, do the following: 

• In the Edit Vulnerability dialog box, after editing information in a module record, 

click OK. The changes you made will be saved and the dialog box will close. 

NOTE: You will not be prompted before changes are saved. It is not possible to 

undo changes that are saved. To recover the original version of a module record, 

you must use a backup copy of the Vulnerability Database CCSVulnDB.mdb 

which you must create before making any changes. 

To cancel changes made in the Edit Vulnerability dialog box, do the following: 

• Click the Cancel button. The dialog box will close and changes will not be saved. 

Now you know how to use some of the controls of the Vulnerability Database Editor. 

2-10 Chapter 2

Exporting Modules 


To export a module as a *.1 file with a numerical filename, do the following: 



2. In the Module Configuration dialog box, in the Module Selection listbox, 

right-click on a module name or module number to open a context menu. 

3. From the context menu, select Export Module... The Save As dialog box will 

open, allowing you to save the selected module as a module file (*.1) with a 

numerical filename. 



Summary 

In this chapter, you learned how to use the Vulnerability Database Editor to view and 

edit module records in the Vulnerability Database and to export modules. You should 

use caution when modifying any information in the Vulnerability Database, as changes 

could seriously impair operation of CyberCop Scanner 

2-12 Chapter 2

Part Three: Appendices 

1

AA Guide to CASL (Custom 

Audit Scripting Language) 

Introduction 

A 

This chapter is a guide to CASL (custom audit scripting language). CASL is a 

high-level programming language. CASL lets you write programs in a text editor that 

simulate attacks or information gathering checks, making CASL ideal for evaluating 

network security. To write programs in CASL you must have the CASL interpreter 

installed on your system. 

In this chapter, you will find information on the following topics: 

• an explanation of CASL 

• an introduction to the main elements of CASL programs, including an example 

CASL program 

• a reference section containing detailed descriptions of the elements you can use in 

CASL programs 

• a summary of the CASL built-in functions you can use in CASL programs 

CASL is for expert use only. CASL requires high-level programming experience and 

an understanding of TCP/IP protocol. 

CyberCop Scanner Getting Started Guide A-1

A Guide to CASL (Custom Audit Scripting Language) 

About CASL 

CASL is a high-level programming language designed to write programs (often called 

scripts) that simulate low-level attacks or information gathering checks on networks. 





the information gathering check simulated by the programs. 

Writing programs to simulate low-level attacks on networks is difficult, if not 

impossible, in most high-level programming languages. As an example, consider the 

Tear Drop attack. Tear Drop sends two IP packet fragments to a host. The two IP 

packet fragments overlap each other, which cause crashes on Windows NT and Linux 

operating systems. Sending overlapping IP packet fragments is difficult in C and 

impossible in COBOL. In CASL sending overlapping IP packet fragments is easy, 

making CASL ideal for simulating attacks like Tear Drop. 

Writing programs that are not operating system dependent is impossible in most 

high-level programming languages. For instance, consider the information gathering 

check TCP Stealth Port Scan. TCP Stealth Port Scan detects if a connection can be 

made to a port on a host. (TCP Stealth Port Scan does not open the connection.) In C, 

you need to write separate programs for different operating systems. For example, if 

you want to execute TCP Stealth Port Scan on the Windows NT and Linux operating 

systems, you write two programs—one for Windows NT and the other for Linux. In 

CASL, you can write one program for TCP Stealth Port Scan and execute it on many 

operating systems. 

The next section, “Programming With CASL,” is designed to familiarize you with the 

main elements of CASL programs. It also includes an example CASL program for 

TCP Stealth Port Scan. 

A-2 Appendix A


Programming With CASL 

This section is divided into two parts. The first part, “Structuring CASL Programs,” 

introduces you to the main elements of CASL programs. The second part, 

“Understanding an Example CASL Program,” includes an example CASL 

program—TCP Stealth Port Scan. This part guides you through the elements you use 

to create the TCP Stealth Port Scan program. 

Structuring CASL Programs 

You write CASL programs in a text editor. The main elements you use to write CASL 

programs (or, scripts) include: 

• statements 

• variables 

• comments 

• packets 

A CASL program consists of statements. A statement is defined as an action, for 

example calculating the value of 2+2 or reading a UDP packet. A statement operates 

on variables. A variable can be: 

• an ASCII character, which is represented in single quotes (e.g. ’c’) 

• a number, which is represented as either: 1) a positive or negative integer without 

quotes; or 2) an integer in hexidecimal format with 0X preceding the integer 

• a string, which is represented as either: 1) a sequence of characters in double quotes 

(e.g. "hello,world!"); or 2) control sequences represented in backslash quoted 

codes (e.g. new line is ’\n’) 

• a buffer, which holds a collection of data, generally input packets 

• a list, which holds a collection of data, generally output packets 

A CASL program supports comments that are ignored by the interpreter. A comment 

can be either a single line or multiple lines. A single line comment beings with "//". A 

multiple line comment begins with "/*" and ends with "*/". 

In a CASL program, you create packets, which are units of protocol data, from scratch. 

Or, you create packets using predefined packet templates included in CASL. Defining 

a packet in CASL consists of selecting the desired protocol structure and then setting 

data elements in the packet. 

The subsequent section includes an example CASL program, TCP Stealth Port Scan, 

which illustrates the main elements of a CASL program. 



Understanding an Example CASL Program 

This section guides you through an example CASL program for TCP Stealth Port 

Scan. TCP Stealth Port Scan is an information gathering check. TCP Stealth Port Scan 

requests a connection to a port on a host by sending a TCP SYN packet to the host. The 

TCP Stealth Port Scan program then waits for a response to the TCP SYN packet. The 

TCP response can be: 

• an acknowledgment, indicating a service is listening and willing to accept a 

connection for the port, 

• a reset, indicating a service is not offered for the port, or 

• nothing, indicating something, for example a firewall, is filtering out the 

connection attempt 

Note that the TCP Stealth Port Scan does not open a connection to a port, even when 

a service is available on the port. 

This is the TCP Stealth Port Scan program created in CASL. 

#include "tcpip.casl" 

#include "packets.casl" 

for(i=1;i


NOTE: The key words in the TCP Stealth Port Scan program above are 

described in detail in the section "CASL Reference" later in this chapter. 

The sections below lead you through the steps you perform to create the TCP Stealth 

Port Scan program in CASL. 

Step One: Defining TCP/IP Packets 

To set up a TCP Stealth Port Scan program, you need to create TCP/IP packets. TCP/IP 

header defaults for TCP/IP packets are included in CASL. You enter the following 

statement to access TCP/IP header defaults: 



Step Two: Creating a TCP SYN Packet 

Next, you need to create a TCP SYN packet, which is the packet that requests a 

connection to a port on the destination host. You create a TCP SYN packet using a 

predefined TCP packet header template, changing predefined parameters in the 

template as appropriate. You enter the following statement to create a TCP SYN 

packet using the template: 

OurSYN = copy SYN; 

OurSYN.tcp_source = 10; 

OurSYN.tcp_destination = 2049; 

The above statement assigns a source port of 10 (an arbitrary number) and a 

destination port of 2049 (the TCP NFS port) to the TCP packet header for example 

purposes only. You can change the source port and the destination port numbers as you 

wish. 

Step Three: Specifying a Destination Host for the TCP 

SYN Packet 

Now, you add an IP header to the TCP SYN packet header. In the IP header, you 

specify the destination host for the TCP SYN packet. You enter the following 

statement to add an IP header to the TCP SYN packet header: 

IP= copy TCPIP; 

OurIP.ip_source = 127.0.0.1; 

OurIP.ip_destination = 127.0.0.2; 

The above statement defines the source host as 127.0.0.1 and the destination host as 

127.0.0.1. The source host and destination host IP addresses are provided for example 

only. If you write the TCP Stealth Port Scan in CASL, make sure that you enter IP 

addresses appropriate for desired source and destination hosts. 



Step Four: Combining TCP SYN and IP Headers 

Next, you combine the TCP SYN and IP headers. There are two ways to combine TCP 

SYN and IP headers. You can combine them using either: 1) a list variable or; 2) list 

operators. 

You enter the following statement to combine TCP SYN and IP headers using a list 

variable: 

PacketList = [ OurIP, OurSYN ]; 

The above statement creates a list called PacketList, with one operator for each 

component in the list. The opening bracket starts the list and the closing bracket ends 

the list. Individual values in the list are separated by a comma. 

You enter the following statement to combine TCP SYN and IP headers using list 

operators: 

PacketList = PacketList push OurSYN; 

PacketList = PacketList push OurIP; 

The above statement creates a list called PacketList, with a separate operator for each 

component in the list. TCP and IP headers are added to the list separately. (The last 

element added (or, pushed) onto the list is the first element written to the list.) 

Step Five: Outputting the TCP SYN Packet 

Next, you instruct the program to output the TCP SYN packet onto a network by 

entering the following statement: 

ip_output(PacketList); 

Step Six: Defining Port Connections 

Most standard network services listen to reserved ports. Therefore, you want to 

instruct TCP Stealth Port Scan to get information for reserved port nos. 1 through 

1023. You get information about reserved ports by looping through the ports. You 

enter the following statement to loop through reserved ports: 

for(i=1;i


Step Seven: Sending Connection Requests to Ports 

You enter the following statement to send connection requests to reserved ports. 

For (i = 1; i < 1023; i = i + 1) { 

OurSYN = copy SYN; 

OurSYN.tcp_source = 10; 

OurSYN.tcp_destination = i; 

OurIP = copy TCPIP; 

OurIP.tcp_source = 127.0.0.1; 

OurIP.tcp_destination = 127.0.0.2; 

OurPacket = [ OurIP, OurSYN ]; 

ip_output(OurPacket); 

} 

Step Eight: Reading TCP Responses 

You use ip_input() routines to determine if a port on a destination host answered the 

program’s connection requests. ip_input() routines specify the time (in milliseconds) 

for attempting a connection. ip_input() routines also specify the packets types to be 

read using a tcp_dump filter. 

You enter the following statement to read a response to a packet: 

OurFilter = [ "src host ", 127.0.0.2, " and tcp src port ", i ]; 

where i is equal to 103 

ReadPacket = ip_input(2000, OurFilter); 

If ip_input() does not read a packet successfully, it returns a value of zero. Each time 

ip_input() is used, you must check if it reads a packet successfully by comparing the 

returned value to 0. You enter the following statement to compare values: 

if(!ReadPacket) 

continue; 

In the above statement, continue tells the interpreter to move forward in the loop. 

When the program reads a packet, it returns a complete IP packet. 

Step Nine: Determining TCP Response Types 

Next, you need to determine if the complete IP packet is a TCP SYN+ACK or a TCP 

RST packet. If the IP packet is a TCP SYN+ACK packet, a service was listening and 

willing to accept a connection for the port. If the packet is a TCP RST packet, a service 

is not offered for the port. You can determine if the IP packet is a TCP SYN+ACK or 

a TCP RST packet by looking at its packet size and packet header, as described below. 



First, you check the size of the IP packet. The IP packet must be large enough to 

contain a TCP and IP header. You enter the following statement to check the IP packet 

size: 

if(size(ReadPacket) < size(IP) + size(TCP)) 

continue; 

The above statement tells the interpreter to move forward in the loop if the IP packet 

is smaller in size than the sum of the sizes of the TCP and IP headers. If the IP packet 

is large enough, the packet header can be extracted from the IP packet. You enter the 

following statement to extract the packet header: 

ReadIP = extract ip from ReadPacket; 

ReadTCP = extract tcp from ReadPacket; 

Each header in the above statement is extracted using the extract operator. Once the 

packet headers are extracted, you look at the individual fields of the TCP header to 

verify that they are set properly. The SYN and ACK fields should be set; the RST field 

should not be set. Note that if the aforementioned fields are not set properly, the 

connections to the port will be opened. 

Enter the following statement to view TCP header fields: 

if(ReadTCP.tcp_ack != 1 || ReadTCP.tcp_syn != 1 || ReadTCP.tcp_rst == 1) 

continue; 

where || is a logical or and != is not equal. The statement reads: If the ACK flag is not 

set, or the SYN flag is not set, or the RST flag is set restart the loop for the next port. 

If the programs proceeds in the loop after this statement, the packet is a TCP SYN + 

ACK packet. This packet type indicates that a service was listening and willing to 

accept a connection for the port. 

Step Ten: Verifying an Open Port Connection 

The print function notifies you if there is a port open for connection. You enter the 

following statement to see if a port is open for connection: 

print("Port", i, "Alive"); 

If i is 1022, Port 1022 Alive is printed. 

Step Eleven: Evaluating the Completed Program 

The program for TCP Stealth Port Scan is now complete. 



for(i=1;i


OurSYN.tcp_destination = i; 

OurIP = copy TCPIP; 

OurIP.ip_source = 127.0.0.1; 

OurIP.ip_destination = 127.0.0.2; 

OurPacket = [ OurIP, OurSYN ]; 

ip_output(OurPacket); 

OurFilter = [ "src host ", 127.0.0.2, " and tcp src port ", i ]; 

ReadPacket = ip_input(2000, OurFilter); 

if(!ReadPacket) 

continue; 

if(size(ReadPacket) < size(IP) + size(TCP)) 

continue; 

ReadIP=extract ip from ReadPacket 

ReadTCP=extract tcp from ReadPacket 

if(ReadTCP.tcp_ack != 1 

|| ReadTCP.tcp_syn != 1 

|| ReadTCP.tcp_rst == 1) 

continue; 

print("Port", i, "Alive"); 

} 

You can write the above program in a text editor making changes where appropriate 

(for example changing IP addresses) and then execute the program. 

NOTE: Before testing CASL programs on critical networks, we recommend that 

you test them on non-critical networks. CASL programs are most often attacks, 

which means they can disrupt and disable networks. 

The next section, "CASL Reference," includes detailed descriptions of all the elements 

you can use in CASL programs. 



CASL Reference 

This section includes a description of each element you can use in a CASL program, 

or script. It is divided into four main sections: 

• program structure 

• lists 

• packet headers 

• subroutines 

You can skip straight to the section that describes the element you are interested in. 

A-10 Appendix A


Program Structure 

This section includes definitions of elements related to CASL program structure. This 

section is divided into four main parts: 

• statements 

• variables 

• syntax 

• control statements 

Statements 

CASL programs consist of statements. Statements consist of control constructs and 

expressions. Control constructs are statements which define the flow of a program, for 

example loops (while and for) and conditionals (if). Expressions are sentences which 

evaluate to a value. You can execute statements in global scope, which eliminates the 

need for creating a program with routines. You do not need to use an entry point 

main() functioninCASL. 

Variables 

Statements operate on variables. Variables are dynamically typed, therefore they do 

not have a declared type and do not need to be declared prior to use. You can assign 

variables (described below) to expressions. There are five variable types—character, 

integer, string, buffer, and list. 

Characters 

Characters are ASCII characters. Characters are represented in single quotes (e.g. ’c’). 

Integers (Numbers) 

Integers (i.e. numbers) are represented as either: 1) positive or negative intergers 

without quotes; or 2) integers in hexidecimal format when 0X precedes the integer. 

Note that floating point and decimal point numbers are not allowed in CASL. 

Strings 

Strings are any number of characters enclosed in double quotes, for instance "hello 

world!" CASL treats strings as built-in types, not as arrays. (Perl and C treat strings as 

arrays.) 



You can define string literals, which may include adjacent string literals. String 

literals are constant strings in a CASL source file, for example "hello world!" 

Adjacent string literals are concentrated into a single string. For example, "foo" "bar" 

is equivalent to the string "foobar". String literals can contain escape codes 

representing non-ASCII characters. Escape codes include "\n" (newline), "\r" (carriage 

return), "\t" (tab), and "\xNN" (the character represented by the ASCII hex code NN). 

Buffers 

Buffers are complex types, which can contain many pieces of information. Buffers 

express pieces of information as bytes. Buffers generally hold packet structures and 

input packets. 

Lists 

Like buffers, lists are complex types which can contain many pieces of information. 

Lists are discrete series of variables. Lists generally hold output packets. 

Syntax 

The subsequent sections describe the syntax used to express elements. 

Statements 

CASL code consists of statements. Statements are terminated with a semicolon. They 

are case sensitive and whitespace insensitive. Thus, you can indent and space CASL 

programs as you wish. 

You can use single statements or a collection of statements in CASL programs. Single 

statements stand on their own. A collection of statements can be grouped together. 

(When enclosed in curly braces, a collection of statements is treated as a single 

statement.) 

Comments are remarks in CASL source code that are ignored by the interpreter. A 

comment can be either a single line or multiple lines. A single line comment beings 

with "//". A multiple line comment begins with "/*" and ends with "*/". 

Variables 

Variables are the basic elements of CASL programs. You can use characters, integers, 

strings, buffers, and/or lists as variables. Variables are assigned names. When you 

assign a name to a variable, the name must: 1) start with a letter; and 2) consist of zero 

or more trailing letters, numbers, or the underscore "_" character. Examples of valid 

variable names include the following: foo, bar_baz, i, and z1. Examples of invalid 

variables include 1a and a@b. 

A-12 Appendix A


Variable Assignments 

Variable names are not valid until they are assigned to by an assignment operator, =. 

An assignment takes the value of the expression to the right of the = and assigns it to 

the variable on the left. The variable assigned to does not need to exist beforehand. For 

instance, i=cassigns the value of the variable c to i. In this example, c must exist 

beforehand; i does not need to exist beforehand. 

Increment and Decrement Operators 

Increment operators add a value of one to a variable. Decrement operators subtract a 

value of one to a variable. Both increment and decrement operators can be used with 

either preincrement or postincrement options. Preincrement adds the value one to a 

variable and then returns it for further expression evaluation. Postincrement subtracts 

the value one to a variable, however, it returns the original variable for further 

expression evaluation. 

Expressions for increment operators with preincrement and postincrement options are 

++x and x++, respectively. Expressions for decrement operators with the preincrement 

and postincrement options are --x and x--, respectively. 

Math 

CASL supports both standard mathematical operations and binary operations. 

Standard mathematical operations include addition, subtraction, multiplication, and 

division, which are represented by +, -,*, /,and% (modulo division), respectively. For 

example, if you want to increment a variable i by one, you use the statement i=i+1. 

Binary operations allow integers to be masked against one another to extract bit 

patterns. Supported binary operations include: AND (&), OR (|),XOR (^), NOT (~), 

and left/right shifts (>). 

Comparison Operators 

Comparison operators test the value of an expression. Comparison operators include: 

• x> y, which reads x is greater than y 

• x< y, which reads x is less than y 

• x>=y, which reads x is greater than or equal to y 

• x


if((i=1)==1) 

print(i); 

You can invert expressions for comparison with the ! operator. Expressions preceded 

by a ! evaluate false if the expression value is nonzero. For instance, if i is NOT 1 you 

enter the following: 

if(! (i == 1)) 

print(i); 

Negation with ! is most useful when comparing something to zero. !z evaluates true if 

z is zero. You can combine these rules to see if a packet is read from ip_input() by 

writing: 

if(!(packet = ip_input(2000, filter)) 

print("didn't get a packet"); 

You do not need to compare an expression's value to >0to see if the expression is 

nonzero, for example if(i > 0). If the expression evaluates nonzero, it evaluates true. If 

the expressions is zero, it evaluates false. Consider the following statement: 

if(i) 

print(i); 

else 

print("i is zero"); 

The above statement prints the value of i if i is not zero. 

Control Statements 

Control statements affect the flow of a program. Control statements are: 

• loops, which cause a piece of code to be executed zero or more times, or 

• conditionals, which cause a piece of code to be executed only if the condition is 

satisfied 

Control statements operate on other statements and are terminated with a semicolon. 

Loops 

There are two loops types in CASL–while and for. while and for are described in the 

subsequent sections. 

While 

while statements represent loops that are not implicitly terminated. while loops 

execute their bodies until their conditional arguments are satisfied. while loops are 

written as follows: 

while (conditional) statements 

A-14 Appendix A


In the above statement, conditional is an expression and statements is either a 

statement or a group of statements enclosed in curly braces. The following is an 

example statement for a while loop: 

while(i > 0) 

i=i-1; 

For 

for statements represent loops that generally have implicit termination. for statements 

consist of three parts: an initializer, a conditional, and an iterator. 

• The initializer is intended to set up a counter or some other place holder variable 

for the loop. 

• The conditional works the same way a while conditional works; it is intended to 

terminate the loop when the condition evaluates false. 

• The iterator is intended to move the loop forward, typically advancing or 

decrementing a counter. 

The following is an example statement for a for loop: 

for(i=0;i


Loop control statements are only valid within loops. If you are not in a loop, you 

cannot execute a break or continue. if conditionals are not loops and remember the 

control statement affects the closest loop. 

Consider the following statement: 

for(;;) 

while(1) 

if(c == 1) 

break; 

In the above statement, continue affects while, not for. continue is valid in this 

statement because it is executed while at least one loop is in effect. 

Now, consider the statement: 

if(1) 

break; 

The above statement is not valid because a loop is not present. 

Conditionals 

In CASL, conditional statements are if. When the conditional argument evaluates true, 

if executes its body of statements. Consider the following statement: 

if(i == 1) { 

print(i); 

print("done"); 

} 

When i is equal to 1, the above statement executes code in the body of the conditional. 

Code can also be executed when a loop evaluates false using an else extension. The 

body of else is executed when if is false. For instance: 

if(0) 

print("foo"); 

else 

print("bar"); 

The above statement prints the string "bar". (The 0 conditional always evaluates false.) 

if/else statements can be chained indefinitely using else if. For instance: 

if(i == 1) 

print("foo"); 

else if(i == 2) 

print("bar"); 

elseif(i


print("baz"); 

else 

print("quux"); 

The above statement prints "foo" if i is 1, "bar" if i is 2, "baz" if i is 3,and"quux" if i 

is any other value. 

Subroutine Calls 

Subroutine calls divert control to code in the named subroutine. Subroutine calls pass 

arguments to subroutines, affecting execution of subroutines. Subroutines return 

values, which you can obtain by assigning subroutine call expressions to variables. 

The syntax for a subroutine call is function(argument0, argument1, argumentN), 

where function is the name of the function (e.g., ip_input) and argumentX is the 

argument at position X. For example if foo is a function that takes as an argument a 

value and has as a return value of the value plus one, the following statement prints a 

value of two: 

{ 

i=1; 

i=foo(i); 

print(i); 

} 



A-18 Appendix A 

Lists 

This section describes elements relating to lists. Lists represent collections of data, 

composed of individual variables. Lists can grow or shrink dynamically. You can use 

lists to represent complicated strings and packets. You can also use lists as data 

structures for CASL programs. 

List Creation 

There are two ways to create a list. You can create a list using a list comparison 

operator. Or, you can create a list by creating a new list and then using a list operator 

to assign an element to the list. 

As mentioned above, you can create a list using the list composition operators [and]. 

The square brackets enclose a comma separated list of element. The following 

statement creates a new list: 

[ foo, bar, baz, 1 ] 

The above statement creates a list containing the variables foo, bar, baz, and1. 

You can also create a new list using a list operator to assign an element to the list. More 

specifically, you assign the name of the list to an expression with a list operator 

operating on the name and then insert a new element. Consider the following 

statement: 

list = list push foo; 

The above statement creates a new list called list which contains only the element foo. 

Recursion 

Lists can contain any variable, including other lists. Lists can nest indefinitely. 

Routines that act on lists expand elements from lists in the order it encounters them. 

For example: 

[ "foo ", "bar ", [ "baz ", "quux " ], "zarkle" ]; 

The above statement defines a string list that evaluates to the following: 

"foo bar baz quux zarkle" 

When stepping through a list with list operators, an element of a list that is itself a list 

is returned as the entire list. It will not be returned as the first element of the list. The 

same string list above is processed with the following statement: 

{ 

list = [ "foo ", "bar ", [ "baz ", "quux " ], "zarkle" ]; 

x = pop list; 

y = pop list; 

z = pop list;


} 

print(z); 

The above statement prints the string "baz quux" because the value of z is equal to the 

third element of the list list. 

List Operators 

There are four list operators. They are as follows: 

• head, which takes an element from the head of the list 

• tail, which takes an element from the tail of the list 

• prepend, which adds an element to the head of the list 

• append, which adds an element to the tail of the list 

Head and tail operate on a list, evaluating to the element removed from the list. The 

following is an example head statement: 

{ 

} 

list = [ foo, bar, baz ]; 

x = head list; 

print(x); 

The above statement prints the value of foo, the first item (the head) of the list. 

NOTE: You can use the head statement format to create a tail statement. To 

create a tail statement, you simply replace head with tail in the head statement 

format. 

prepend and append operate on a list and an element to add to that list. If the list 

referred to doesn't already exist, it is created. An example of a prepend statement is: 

{ 

list = [ foo, bar ]; 

list = list prepend baz; 

print(list); // list is now [foo, bar, baz] 

} 

The above statement prints the values of foo, bar, andbaz. 

NOTE: You can use the format of the prepend statement to create an append 

statement. To create an append statement, you simply replace prepend with 

append in the prepend statement format. 



The commonly used computer stack terms, push and pop, are aliases for prepend and 

head, respectively. 

List Control 

You can use the foreach statement to step through each element in a list. A foreach 

statement has two parts:1) a binding name; and 2) a list to operate on. The binding 

name is set to refer to each element in the list. The following is an example of a 

foreach statement: 

{ 

list = [ foo, bar, baz ]; 

foreach element [ list ] { 

print(element); 

} 

} 

The above statement prints the values of foo, bar, andbaz, in order. The looping 

control statements continue and break function as they normally do. 

NOTE: List expansion within foreach is recursive. A list containing other lists 

is expanded to all enlisted data elements. 

A-20 Appendix A


Packet Headers 

This section describes elements related to packet headers. You can create a packet that 

consists of a series of protocol headers, each with a fixed format. You can define fixed 

format protocol headers with the protocol structure construct. The format lays out 

bit-by-bit the order and the contents of a protocol structure. 

Definition 

Protocol structures are defined by define statements. A define statement creates a new 

structure with a specified name. The define statement consists of a curly-brace 

enclosed definition. The definition is composed of field specifiers which dictate the 

name, length, and order of the protocol fields. A basic protocol structure definition is 

as follows: 

define foo { 

// contents here 

} 

The above statement creates a new structure named foo. However, foo is meaningless 

since it does not define fields. Consider the statement below, where ip defines fields: 

define ip { 

ip_version: 4 bits; 

ip_headerlen: 4 bits; 

ip_tos: 8 bits; 

ip_length: 16 bits; 

ip_id: 16 bits; 

ip_df: 1 bit; 

ip_mf: 1 bit; 

ip_offset: 14 bits; 

ip_ttl: 8 bits; 

ip_protocol: 8 bits; 

ip_cksum: 16 bits; 

ip_source: 32 bits; 

ip_destination: 32 bits; 

} 

The above statement defines an IPv4 header. Each specifier enclosed in the curly 

braces denotes a field of the structure. Each field consists of a name, a colon, and a 

size. The name in a field can be any valid variable name. The size in a field can be 

specified in terms of any number of bits, bytes, words, and dwords. Words are16 bit 

quantities; dwords are 32 bit quantities. Protocol structure definitions can mix any 

combination of sizes specified in bytes, bits, word, or dwords. 



Instantiation 

A new instance of a protocol structure is created by assigning its name to a variable 

with the new operator. This creates a buffer large enough to hold the structure, with 

all fields in the structure set to 0. When you assign a buffer to another variable, the 

buffer is copied. For example, consider the following statement: 

{ 

x = new ip; 

y=x; 

z=y; 

} 

In the above statement, x, y,andz are all independent copies of ip structures. 

Field Reference 

Individual fields of a structure are referenced with the field reference operator. For 

instance, if x is an ip structure x.ip_ttl refers to the ip_ttl field of x. 

Any number can be assigned to a protocol structure field. Numbers are packed in 

Internet byte order into the field. Numbers will use as many bits as the field is large. It 

is an unchecked error to try to fit a value in a field that is too large for the value. For 

instance if foo is a field that is 1 bit wide, x.foo = 4 results in undefined behavior. 

Special Fields 

Every buffer variable has four special fields which reference arbitrary locations within 

the buffer. The fields are bits, bytes, words, and dwords. The fields are specified with 

ranges corresponding to how many of units are referenced. 

The syntax of a direct memory reference to a structure follows these examples: 

• z.bits[x .. y], which reads bits x through y of the buffer z 

• z.bytes[x .. ], which reads bytes x through the end of buffer z 

• z.word[x], which reads word x of buffer z 

The above-listed statements evaluate to integer numbers. The statements can be 

assigned to, for example: 

z.bit[10] = 1; 

The above statement sets the eleventh bit (counting from 0)ofthebufferz to 1. 

Buffer Size 

Buffers represent an arbitrary amount of data. You obtain buffer size using the size 

function. size evaluates to the size, in bytes, of its argument. Consider the following 

statement: 

A-22 Appendix A


{ 

x = new ip; 

print(size(x)); 

} 

The above statement prints 20, which is the size (in bytes) of an IP header. 

Variable Size Buffer 

A variable size buffer is a structure that is defined without any fields. A variable size 

buffer can only be accessed using special fields. A variable size buffer automatically 

expands to fit new data. 

Buffer Scale 

You can define a default scale in a variable size buffer. A default scale is defined in 

the definition using scale. scale can be represented in bits, bytes, words, or dwords. 

When scale is defined, you can access the associated special field in the buffer by 

specifying the range. You do not need to include the field reference. 

Structure Extraction 

A buffer can contain several structures. You can obtain a structure from the buffer by 

extracting data with the extract operator. Extract is specified as follows: 

foo = extract bar from baz; 

The above statement extracts a bar structure from the buffer baz, leaving the 

remaining bytes in baz. To leave remaining bytes, write the following: 

foo = extract z bytes from baz; 

The above statement extracts zbytesfrom baz, leaving the remaining bytes. 



Subroutines 

This section describes elements related to subroutines. 

Declaration 

Subroutines are defined with the proc keyword. A subroutine takes a fixed number of 

arguments and returns a value. Subroutines can be defined anywhere. They do not 

require prototypes. To declare a new structure, you use the proc keyword as follows: 

proc foo(arg1, arg2, argN) { 

// statements 

} 

In the above statement, foo names the new function, argX specifies the name of the 

argument at place X, and the body of the function appears in curly braces. Within the 

body of the function, the variables named argX are replaced by the value of the 

arguments passed at place X. For instance, to declare a function called foo that takes 

an argument named x and adds 1 to it you write the following: 

proc foo(x) { 

x=x+1; 

print(x); 

} 

Argument Passing 

An argument specified in a function's declaration is called a formal argument. The 

name of the argument is available to all the statements executed in the body of this 

function. An argument passed to a function in a subroutine call is called a calling 

argument. Its value is made available through the name of the corresponding formal 

argument. 

Argument passing in CASL is by value. (There is one exception, which is described 

below.) Thus, the formal argument is bound to the VALUE of the calling argument not 

the actual calling argument. Consider the following statement: 

proc foo(x) { 

x=x+1; 

print(x); 

} 

In the above statement foo, the addition of 1 to the argument x is never seen by the 

caller of foo—it affects only the variable x within the function foo. 

A-24 Appendix A


The only exception to this argument is structure and list passing. References to lists 

and structures are passed. Changes to lists and structures affect variables on the caller 

side and variables in the body of the subroutine. Thus, it is easy to write routines that 

set fields within structure headers or to change the order of packet lists. 

Variable Argument Lists 

CASL supports creating procedures that take a variable number of argument using the 

list type. A variable argument function is defined as an argument that takes more 

calling arguments than formal arguments. The final formal argument becomes a list of 

all the extra calling arguments. Consider the following statement: 

proc foo(x) { 

... 

} 

foo(i, j, k); 

The above statement defines a function called foo. foo can take a variable number of 

arguments. The function call to foo() specifies three arguments; the definition 

specifies one argument. Therefore, x becomes a list containing i, j, andk. 

Return Values 

Subroutines end when either: 1) a curly brace is reached; or 2) a control reaches a 

return statement. A return statement ends the execution of a subroutine and causes the 

subroutine call to evaluate to the value specified as return argument. For instance, to 

make foo return the value it calculated change use the following statement: 

proc foo(x) { 

x=x+1; 

return(x); 

} 

In the above statement, a call to foo will evaluate to the argument passed to foo,plus1. 

Any variable can be returned through the return statement. Multiple values are 

returned from a function using list variable returns. 

Scope 

Scope is the space within which a variable is valid. When a program is executes within 

a subroutine, any variable it defines is accessible only within execution of the 

subroutine. The caller of the subroutine cannot access variables defined in the 

subroutine. 

Code that is not executing within a subroutine is in global scope. Variables defined in 

global scope are accessible anywhere—even within subroutines. The following 

statement illustrates this concept: 



i=1; 

foo(i); 

//global 

proc foo(x) { 

x = x + 1; 

y = i; 

} 

return(x); 

// local, "x" can only be accessed within "foo" 

// "y" is local and can only be accessed within 

// "foo," but "i" is global and can be accessed 

// anywhere. 

A-26 Appendix A

CASL Built-in Functions 


The CASL interpreter includes built-in functions. Built-in functions are subroutines 

that cannot be easily programmed in CASL. Therefore, the CASL interpreter includes 

them as built-in functions. Built-in functions are divided into three categories: network 

I/O, file I/O, and misc (miscellaneous). 

Network I/O Built-in Functions 

Network I/O functions include subroutines that can be used to read packets from the 

network or to write packets to the network. Network I/O functions are described in 

subsequent sections. 

The IP Output Function 

IP output writes a complete IP packet (including the IP header) to the network. IP 

output in CASL is accomplished via the ip_output() routine. ip_output() takesasan 

argument a list of data elements that are expected to comprise an IP packet. A single 

buffer variable can also be passed to ip_output() for writing. 

Sending a well formed IP packet involves some tricky issues, for instance checksum 

and length calculation. The IP and transport headers require knowledge of the length 

of the entire packet, the lengths of the individual headers, and the calculation of a 

checksum over some of the headers and the data. 

You can write CASL code to compute checksums and lengths. However, this code can 

potentially be cumbersome and error-prone. Rather than requiring the implementation 

of CASL-scripted checksum and length calculation, the CASL interpreter provides a 

few shortcuts to solve these issues transparently. For the basic IP protocols (e.g. IP, 

TCP, UDP, and ICMP), the CASL interpreter automatically calculates checksum 

fields, packet lengths, and header lengths. The appropriate values are filled in before 

the packet is written to the wire. The computed values do not affect the passed in data; 

computed values only affect the packet written to the wire. In order to allow for 

arbitrary packets (possibly with intentionally bad header values) to be sent, CASL does 

not touch header fields it thinks have explicitly been filled in. For the basic IP 

protocols, this means that CASL does not fill in values for fields that already have 

nonzero values. 

The IP Fixup Function 

It is sometimes important to fill in the variable header fields of an IP datagram without 

outputting it to the network. This is a common requirement of IP fragmentation code. 

CASL supports this with the ip_fixup() procedure. Ip_fixup() takes the same 

arguments as ip_output(). However, instead of outputting the packet to the network, 

it returns a new packet. The new packet is a copy of the input with the appropriate 

header fields filled in. 



The IP Input Function 

IP input reads a complete packet (starting with the IP header) from the wire. Packet 

input in CASL is done using the ip_input() routine. Ip_input takes as arguments a 

timeout value, specified in milliseconds, and a tcpdump filter. The timeout specifies 

how long to wait for a packet before giving up and the filter defines which packets to 

read. If the millisecond timer runs out before a packet is read, ip_input returns the 

integer value 0. 

If a packet is read successfully within the allotted time, it is returned minus the 

link-layer (Ethernet) header as a buffer. The size of the buffer can be queried with 

size() to determine the length of the inputted packet. 

The IP Filters Function 

CASL allows the explicit setting of global filters that affect all reads by using the 

ip_filter() routine. ip_filter takes as an argument a tcpdump filter, through which all 

packets read by CASL must successfully pass before being returned via ip_input. 

On some computer architectures (notably 4.4BSD) ip_filter() also sets kernel packet 

filters. Enabling a kernel packet filter prevents the CASL interpreter from reading 

packets you specified not be read. This can be a major performance benefit, as it 

prevents the CASL interpreter from needing to explicitly filter out spurious packets. 

The IP Range Function 

Ranges of IP addresses can be quickly parsed into a list of IP address using the 

ip_range routing. The argument is a string describing a range of address and the return 

value is a list of integers. 

A-28 Appendix A

File I/O Built-in Functions 


The file I/O functions are subroutines which can be used to read and write to files. The 

file I/O functions are described in the table below. 

Table A-1. File I/O built-in functions. 

Function 

open() 

close() 

read() 

write() 

fgets() 

rewind() 

fastforward() 

remove() 

Description 

Takes a filename as an argument, and returns a descriptor 

number that can be used to manipulate that file. If the file 

doesnotexist,itwillbecreated;ifitdoes,itwillbe 

appended to. If the file cannot be opened, "0" is returned. 

Takes a descriptor number as an argument, and closes the 

associated file, flushing any pending output and preventing 

further manipulation of the file. 

Takes as arguments a descriptor number and a count of 

bytes to read. It reads at most the specified number of bytes 

from the file, and returns a buffer containing those bytes. 

The number of bytes actually read by the file can be queried 

with the "size()"command; if no data was read, "0" will be 

returned. 

Takes as arguments a descriptor and a data element (which 

can be a list or a buffer, or any of the basic types) to write to 

the file matching that descriptor. The number of bytes 

written to the file is returned. 

Takes as arguments a descriptor and a number representing 

the maximum number of characters to read from a file. It 

then reads at most that many characters, stopping when a 

line terminator (the new line character) is found. It returns 

the data read, or "0" if nothing was read. 

Repositions the offset into the descriptor given as an 

argument, so that it points to the beginning of the file. This 

allowsthesamedatatobereadfromthesamefile 

descriptor twice. 

Repositions the offset into the descriptor given as an 

argument, so that it points to the end of the file. This allows 

recovery from rewind(), for further writing. 

Deletes the specified file from the system, returning "1" if 

successful. 



seek() 

Repositions the offset into the descriptor give as an 

argument, so that it points the offset referenced by the 

second argument. A third argument can be given to specify 

what the new offset is relative to. The possible values are as 

follows. SEEK_SET to set the offset from the beginning of 

the file. SEEK_CUR to set the offset relative to the current 

offset. SEEK_END to set the offset value relative to the 

end of the file. Note if the third argument is not given, the 

default is SEEK_SET. 

MISC (Miscellaneous) Built-in Functions 

The misc (miscellaneous) built-in functions are described in the table below. 

Table A-2. Misc built-in functions. 

Function 

print() 

checksum() 

timer_start() 

timer_stop() 

tobuf() 

atoi() 

wait() 

Description 

Takes a list of data elements to write to standard output. 

It writes each of these elements, separated by a space, to 

standard output followed by a new line. 

Takes a list of data elements to perform an Internet 

checksum on. It returns an integer representing the 

checksum of these elements. 

Starts a stopwatch timer in the CASL interpreter. It 

returns a descriptor number, which can be used to 

retrieve the amount of time that has elapsed since the 

timer started. 

Takes a descriptor number as an argument, stops the 

stopwatch timer associated with the descriptor, and 

returns the number of milliseconds that have elapsed 

since the timer was started. 

Takes a list as an argument and returns a buffer 

containing the ordered contents of that list. 

Takes a string as an argument and returns the integer 

represented by that string. 

Takes an integer as an argument, representing the 

number of seconds for the interpreter to wait before 

continuing. 

A-30 Appendix A


getip() 

putip() 

getenv() 

setenv() 

strep() 

exit() 

size() 

rand() 

gettimeofday() 

Takes a string as an argument and returns a number 

representing the IP address contained in that string. 

Takes a binary IP address as an argument and returns a 

string representing that IP address. 

Retrieves the specified environment variable 

(represented as a string), returning it's value as a string 

(or null if the variable is not set). 

Changes the value of the environment variable specified 

as it's first argument (a string) to the value represented 

by it's second argument. 

Returns an ASCII string representation of an arbitrary 

variable, useful for obtaining strings representing 

integers. 

Exits the CASL interpreter, taking an optimal argument 

of the exit code. 

Returns the size in bytes of a buffer argument, or the 

number of entries in a list argument. 

Returns a pseudo random number. If an optional 

argument is given, the random number generated is 

seeded with that number. 

Returns the time in milliseconds since midnight. 



Summary 

This chapter covered CASL. Specifically, this chapter: 

• explained the benefits of writing programs in CASL 

• introduced the main elements of a CASL program 

• provided a reference section, which contains detailed descriptions of elements that 

can be used in CASL programs 

• included a summary of CASL built-in functions that can be used in CASL 

programs 

You can use the information provided in this chapter as reference material when 

writing your own CASL programs. 

A-32 Appendix A

BScanning: Command Line 

Options 

Introduction 

B 

This appendix lists options that can be used when you want to run the scan engine 

(engine.exe) from the command line. You can also see a list of the available flags for 

the engine commandbyenteringthecommandnamefollowedbythe-h flag at the 

command prompt. 

Running Scans From the Command Line 

You can run the scan engine non-interactively from the command line. Running from 

the command line is useful for scheduled or script-defined scans. The command usage 

and the available flags and options are given below. 

engine 

For scheduling routine scans, it may be desirable to run CyberCop Scanner from the 

command line. To run CyberCop Scanner from the command line, you change to the 

directory where CyberCop Scanner is located and enter the following at the command 

prompt: 

>engine 

The default configuration file scan.ini will be used. The default configuration file is 

included in your CyberCop Scanner distribution. To use the file, you must make a copy 

of it and then edit it (using Notepad) to specify the desired host range, scan settings, 

and module settings. To specify a different configuration file, you use the -cf flag. By 

default, the results of the scan will be stored in the text file scan.txt. To specify a 

different output text file, you use the -of flag. You can also create a configuration file 

using the CyberCop Scanner graphical user interface and use it with a command line 

scan. 

NOTE: The command line version of the scan engine does not report results to 

the event database. It reports results to a text file. 

You may run either a scan or a probe from the command line. To specify the either a 

scan or a probe, you use the -rm flag. You may also run in either a normal mode or a 

debug mode. Debug mode allows you to debug scan engine operation. To specify 

either normal or debug mode, you use the -om flag. You may also specify either the 

console or a file as an output device during a scan. To do this, you use the -od flag. 

CyberCop Scanner Getting Started Guide B-1

Scanning: Command Line Options 

The available flags are listed below. To learn more about performing a scan or a probe 

and about specifying scan settings, refer to Chapter 3, “Getting Started: Performing a 

Scan.” 

Usage: 

engine [-cf file] [-of file] [-od device] [-om mode] [-rm mode] 

Flags and options: 

-cf configuration file in win.ini format (default is scan.ini) 

-of output file (default is scan.txt) 

-od output device use CONSOLE or FILE (default is CONSOLE) 

-om output mode output message mode; use DEBUG or NORMAL 

(default is NORMAL) 

-rm run mode use SCAN or PROBE (default is SCAN) 

-id engine id use an unsigned integer (default is 0) 

-h help lists available flags for engine command 

B-2 Appendix B

Summary 


In this appendix, you learned about the options that can be used to run the scan engine 

from the command line. 

CyberCop Scanner Getting Started Guide B-3


B-4 Appendix B

Glossary 

administrator 

authentication 

domain 

domain name system (DNS) 

dual-homed 

electronic mail (e-mail) 

firewall 

file transfer protocol (FTP) 

gateway 

Gopher 

hardened 

hypertext transfer protocol 

(HTTP) 

inside network 

The individual responsible for a system or network or systems. 

Method to guarantee that the sender of information is who the 

sender purports to be. 

A part of the DNS naming hierarchy. Domain names consist of 

a sequence of names (labels) separated by periods (dots). 

The online distributed database system used to map 

human-readable machine names into IP addresses. DNS servers 

throughout the Internet implement a hierarchical namespace 

that allows sites to assign machine names and addresses. 

A host with two network adapters, hence addresses, that acts as 

a router between the subnetworks to which those interfaces are 

attached. 

The electronic version of the postal system. 

A configuration of routers and networks placed between an 

organization’s internal internet and a connection to an external 

internet to provide security. 

The TCP/IP protocol for file transfer from one machine to 

another. 

Dedicated host that interconnects two different services or 

applications. 

A system for organizing and displaying files on Internet servers 

that existed before the World Wide Web. Gopher servers 

display hierarchically structured list of files. 

An operating system or application that has been modified to 

eliminate elements that make it vulnerable to attack or failure. 

A TCP/IP protocol that supports the World Wide Web. 

The network of machines protected by the firewall (inside the 

security perimeter). 

CyberCop Scanner Getting Started Guide G-1

Glossary 

Internet 

Internet Service Provider 

(ISP) 

IP address 

IP spoofing 

local area network (LAN) 

NetShow 

network 

network adapter 

NNTP 

outside network 

plug gateway 

post office protocol (POP) 

port 

A collection of interconnected computer networks that can 

communicate with each other using an agreed on set of 

protocols—referred to as TCP/IP, although these are only two 

of many. 

A company that provides access to the Internet, and often other 

services such as Web hosting to companies and individuals for 

a fee. 

A 32-bit integer address assigned to each host on the Internet. 

Altering an IP address to appear to be from a different host. 

Used by hackers to gain unauthorized to a networked resource. 

A group of computers and peripherals such as printers that are 

all connected to each other and are located in a centralized area, 

such as one floor of a building. 

A TCP/IP protocol that provides support for streaming audio 

and video. 

A group of computers and peripherals that are connected to 

each other. 

A physical device in a computer that links the computer to the 

network. Also called a network interface card. 

A TCP/IP protocol that provides support for Usenet news feeds 

and news reading. NNTP stands for network news transfer 

protocol. 

The network of machines not protected by the firewall (outside 

the security perimeter). When a firewall protects a network 

connected to the Internet, the outside network is the rest of the 

Internet. 

A general purpose program implemented as a proxy that allows 

data to flow from an inside host to an outside host. Plugs allow 

access through the firewall for data that doesn’t have its own 

proxy. 

A client-server protocol for handling user electronic mail 

boxes. The user’s mailbox is kept on the server, rather than on 

the user’s personal machine. 

A specific pathway for data and control information. 

G-2 Glossary

Glossary 

protocol 

proxy 

RealAudio/RealVideo 

router 

security perimeter 

service pack 

simple mail transfer protocol 

(SMTP) 

simple network management 

protocol (SNMP) 

smap 

smapd 

subnet 

A formal description of message formats and the rules that must 

be followed to exchange those messages. 

Specialized applications or programs that run on a firewall host. 

These programs take users’ requests for Internet services (such 

as FTP and TELNET) and forward them according to the site’s 

security policy. Proxies are replacements for actual services 

and serve as application- level gateways to the services. 

A TCP/IP protocol that supports audio data. 

A special purpose, dedicated machine that attaches to two or 

more networks and forwards packets from one to the other. An 

IP router forwards IP datagrams among the networks to which 

it is connected. An IP router uses the destination address on the 

datagram to choose the next hop to which it forwards a 

datagram. 

The perimeter around the networks the firewall is trying to 

protect. 

Software from Microsoft that address deficiencies in released 

versions of their software. A service pack can include updates, 

system administration tools, additional components, drivers, 

andsoon. 

A TCP/IP protocol for transferring electronic mail messages 

from one host to another. SMTP specifies how two hosts 

interact and the format of control messages they exchange to 

transfer mail. 

A protocol used to manage hosts, routers, and the networks to 

which they attach. 

A small program intended solely to handle incoming SMTP 

connections. 

A second program which is invoked regularly (typically once a 

minute) to process the files queued in the queue directory, 

normally by handing them to Sendmail for delivery. 

The portion of an IP address can be locally modified by using 

host address bits as additional network address bits. These 

newly designated network bits define a network within the 

larger network. 

CyberCop Scanner Getting Started Guide G-3

Glossary 

subnet addressing 

TELNET 

transmission control 

protocol/internet protocol 

(TCP/IP) 

transparency 

trusted network 

uniform resource locator 

(URL) 

untrusted network 

VDOLive 

virtual private network (VPN) 

Web (WWW, World Wide Web) 

Web browser 

well-known port 

wide area network 

An extension of the IP addressing scheme that allows a site to 

use a single IP network address for multiple physical networks 

by dividing the destination address into a network portion and 

local portion. 

A TCP/IP protocol that provides support for remote login and 

virtual terminal over a network. 

The suite of data communications protocols that underlies the 

Internet. 

A method for providing network access through a firewall 

without user interaction with the firewall. Access that is 

allowed at a site is done invisibly to the user. 

The network protected by the firewall (usually your corporate 

network). 

A string that gives the location of a information. The string 

begins with a protocol type (for example, FTP, HTTP) followed 

by the domain name of a server and the path name to a file on 

that server. 

The network not protected by the firewall, but from which the 

firewall accepts requests (usually the Internet). 

A protocol that supports streaming audio and video. 

A physically disparate set of networks that share a common 

security perimeter through secured internetwork 

communication. 

The large-scale information service that allows a user to browse 

information. The Web offers a hypermedia system that can 

store information as text, graphics, audio, etc. 

A software program that lets you access the World Wide Web. 

Netscape Navigator and Microsoft Internet Explorer are 

well-known Web browsers. 

Any of a set of protocol port numbers assigned for specific uses 

by transport level protocols (for example, SMTP and UDP). 

Each server listens at a well-known port, so clients can locate it. 

A network where the components are physically distant from 

each other. 

G-4 Glossary

CyberCop Scanner Getting Started Guide

Create successful ePaper yourself

Delete template?

Save as template?