Upon starting CIS, you’ll see the main screen shown in Figure 5.2. With CIS you can scan against the following testing target information:
Web Checks
■■ Web service is running
■■ Misc Evaluate Web service software
■■ Misc MS Proxy Server
■■ Misc Remote IIS administration
Figure 5.2 CIS main screen.
■■ Execute Commands msadc
■■ Execute Commands campas
■■ Execute Commands jj
■■ Execute Commands formmail
■■ Execute Commands formmail.pl
■■ Execute Commands faxsurvey
■■ Execute Commands get32.exe
■■ Execute Commands alibaba.pl
■■ Execute Commands tst.bat
■■ Execute Commands phf
■■ Execute Commands webdist.cgi
■■ Execute Commands aglimpse.cgi
■■ Execute Commands echo.bat
■■ Execute Commands hello.bat
■■ Execute Commands loadpage.cgi
■■ Execute Commands Oracle Bat files
■■ View files iissamples/issamples/query.idq
■■ View files iissamples/issamples/fastq.idq
■■ View files iissamples/exair/search/search.idq 138 Chapter 5
■■ View files iissamples/exair/search/query.idq
■■ View files prxdocs/misc/prxrch.idq
■■ View files iissamples/issamples/oop/qfullhit.htw
■■ View files iissamples/issamples/oop/qsumrhit.htw
■■ View files scripts/samples/search/qfullhit.htw
■■ View files scripts/samples/search/qsumrhit.htw
■■ View files Webhits
■■ View files scripts/samples/search/author.idq
■■ View files scripts/samples/search/filesize.idq
■■ View files scripts/samples/search/filetime.idq
■■ View files scripts/samples/search/query.idq
■■ View files scripts/samples/search/queryhit.idq
■■ View files scripts/samples/search/simple.idq
■■ View files scripts/samples/search/filesize.idq
■■ View files scripts/samples/search/filetime.idq
■■ View files scripts/samples/search/query.idq
■■ View files scripts/samples/search/queryhit.idq
■■ View files scripts/samples/search/simple.idq
■■ View files scripts/samples/search/qfullhit.htw
■■ View files scripts/samples/search/qsumrhit.htw
■■ View files scripts/samples/search/webhits.exe
■■ View files iissamples/exair/howitworks/codebrws.asp
■■ View files msadc/samples/selector/showcode.asp
■■ View files scripts/rguest.exe
■■ View files cgi-bin/rguest.exe
■■ View files scripts/wguest.exe
■■ View files cgi-bin/wguest.exe
■■ View files Search admin webhits.exe
■■ View files view-source
■■ View files ~root
■■ View files ~ftp
■■ View files FormHandler.cgi
■■ View files AltaVista query
■■ View files search.cgi (EZSHOPPER)
■■ View files sojourn.cgi
■■ View files windmail
■■ Information cfcache.map
■■ Information idc reveals physical paths
■■ Information bdir.htr ■■ Information server-info ■■ Information server-status ■■ Information robots.txt ■■ Information cgi-bin/enivron.pl ■■ Information scripts/environ.pl ■■ Information testcgi ■■ Information test-cgi ■■ Information test.cgi ■■ Information cgitest.exe ■■ Information nph-test-cgi ■■ Information mkilog.exe ■■ Information mkplog.exe ■■ Information cgi-bin/htimage.exe ■■ Information scripts/htimage.exe ■■ Information names.nsf ■■ Information catalog.nsf ■■ Information log.nsf ■■ Information domlog.nsf ■■ Information domcfg.nsf ■■ Information doctodep.btr ■■ FrontPage administrators.pwd ■■ FrontPage authors.pwd ■■ FrontPage users.pwd ■■ FrontPage service.pwd
■■ FrontPage IIS Account shtml.dll
■■ Directory Listing cgi-bin
■■ Directory Listing scripts
■■ Directory Listing Netscape PageService
■■ Shell check cgi-bin/sh
■■ Shell check cgi-bin/csh
■■ Shell check cgi-bin/ksh 140 Chapter 5
■■ Shell check cgi-bin/tcsh
■■ Shell check cgi-bin/cmd.exe
■■ Shell check scripts/cmd.exe
■■ Perl cgi-bin/cmd32.exe
■■ Perl scripts/cmd32.exe
■■ Perl cgi-bin/perl.exe
■■ Perl scripts/perl.exe
■■ Perl Errors reveal info
■■ Create file newdsn.exe
■■ Buffer overrun fpcount.exe
■■ Buffer Overrun count.cgi
■■ Predictable SessionID rightfax
■■ Search iissamples/issamples/query.asp
■■ Search iissamples/exair/search/advsearch.asp
■■ Search samples/search/queryhit.htm
■■ Search Netscape
■■ Password Attacks iisadmpwd/aexp3.htr
■■ HTTP Methods allowed to root directory
■■ HTTP Methods allowed to /users
■■ HTTP Methods allowed to /cgi-bin
■■ HTTP Methods allowed to /scripts
■■ Create file in /users directory
■■ Create file in /cgi-bin directory
■■ Create file in /directory
■■ Create file in /scripts directory
■■ File Upload repost.asp
■■ File Upload cgi-win/uploader.exe
■■ View Source Netscape append space
■■ View Source shtml.dll
■■ View Source ::$DATA
■■ Configuration .htaccess
SMTP Service
■■ SMTP service is running
■■ Service software enumeration
■■ VRFYcommand allowed ■■ VERBcommand allowed ■■ Mail relaying allowed
■■ Windows 2000 SMTP IIS Service Buffer Overrun ■■ SLMail Buffer Overrun
■■ Exchange Service Packs ■■ Sendmail Wizard ■■ Sendmail debug ■■ Sendmail piped aliases ■■ Mail to programs ■■ Mail from bounce check
■■ Sendmail 8.6.9 IDENT vulnerability ■■ Sendmail 8.6.11 DoS vulnerability
■■ Sendmail 8.7.5 GECOS buffer overrun vulnerability ■■ Sendmail 8.8.0 MIME buffer overrun vulnerability ■■ Sendmail 8.8.3 MIME buffer overrun vulnerability ■■ Decode alias check
■■ Mail forgery
FTP Checks
■■ FTP daemon is running ■■ Service Software enumeration ■■ IIS 4 DoS
■■ Anonymous logins allowed ■■ Hidden /c directory found ■■ Uploads allowed to /c directory ■■ Uploads allowed to root
Portmapper
■■ Portmapper is listening ■■ Dump RPC Services running
POP3 Checks
■■ POP3 Daemon is running ■■ Service software enumeration ■■ QPOP buffer overrun
142 Chapter 5
TEAM
FLY
MS SQL Server Checks
■■ MS SQL Server is running
■■ sa login has no password
■■ Dump logins from master database
■■ Login has a blank password
■■ Login’s password is same as login name
■■ Dump databases
■■ Guest account is enabled on database
■■ Dump logins with access to database
■■ Audit database roles in database
■■ Audit members of server-wide sysadmin role
■■ Audit members of server-wide securityadmin role
■■ Audit members of server-wide setupadmin role
■■ Audit members of server-wide serveradmin role
■■ Audit members of server-wide diskadmin role
■■ Audit members of server-wide processadmin role
■■ Audit members of server-wide dbcreator role
■■ Check if SQL Authentication is allowed
■■ Check if Mixed Mode Authentication is allowed
■■ Check if Windows NT Authentication is allowed
WINDOWS NT Accounts
■■ Enumerate Account Name
■■ User Full name
■■ User Comment
■■ User Privs
■■ User Last logon
■■ User Last password change
■■ Account has a blank password
■■ Account has password same as user ID
WINDOWS NT Shares
■■ Share Name
■■ Share Type
WINDOWS NT Groups
■■ Enumerate group names
■■ Enumerate and list members
WINDOWS NT User Mode Service Checks
■■ Enumerate running user mode services
■■ Check binary path
■■ Audit permissions on SCM
■■ Security context
■■ Messenger Service is running
■■ Browser Service is running
■■ Index Service is running
■■ SQL Service is running
■■ Telnet Service is running
■■ RASMAN Service is running
■■ IP RIP Service is running
■■ SNMP Agent Service is running
WINDOWS NT Driver Service Checks
■■ Enumerate running driver services
■■ Check binary path
■■ Audit permissions on SCM
WINDOWS NT Registry Checks
■■ Audit permissions on various keys permissions
■■ Check values of various keys and values
Now that we’re ready to configure our target information, follow these steps:
Step 1. Click Select Host from the File menu, as shown in Figure 5.3, or click the first icon—the house button—on the main screen.
Step 2. Enter the address of the host we’ll be scanning—in this case,
192.168.0.48. Click Select when finished. Repeat this step to add additional hosts to scan.
Figure 5.3 Selecting a host to scan.
Step 3. Click Select Modules from the File menu, as shown in Figure 5.4, or click the fourth icon—the M button—on the main screen.
Step 4. Click to select the modules you wish to scan against. For our purposes, we’ll elect to scan all modules. When you’re finished, click OK.