Sunteți pe pagina 1din 15

ControlCase

CDD scanning guide

Version 1.0
Sept 23, 2013

History Log
Version

Draft Version 1.0

Date

Author

September 23,
2013

Samir Mondal

ControlCase

Contents
Hardware Pre-requisites............................................................................................. 3
Installation.................................................................................................................. 3
Running a scan........................................................................................................... 4
Scan Pre-requisites.................................................................................................. 4
Configure a scan..................................................................................................... 4
Windows Services required for CDD Scans...........................................................5
Domain/Network Share........................................................................................... 6
Firewall Ports........................................................................................................ 6
High Level Windows Settings required.................................................................6
License usage...................................................................................................... 6
Debugging Steps.................................................................................................. 6
UNIX (Linux, Solaris, HP, AIX, MAC OS etc.).............................................................8
Firewall Ports required.......................................................................................... 8
High Level OS Settings required...........................................................................8
License usage...................................................................................................... 8
Debugging Steps.................................................................................................. 8
Database............................................................................................................... 10
Firewall Ports required........................................................................................ 10
High Level Database Settings required..............................................................10
License usage.................................................................................................... 10
Debugging Steps................................................................................................ 10
Other sensitive data................................................................................................. 12
Regular Expression search.................................................................................... 12
Custom Word Search............................................................................................. 13

ControlCase

Hardware Pre-requisites
1. The CDD Installation machine (scanner machine) needs to be a brand new
install of Windows 2008 R2 or Windows 7 Enterprise.
2. Windows Operating system should be in the English language (other
languages are not supported at this time).
3. The scanner machine should be a 1 or 2 core 2.4 GHz CPU or better with at
least 200GB disk space free and 4 GB RAM. If Windows can run well on the
hardware, so can CDD.
4. We need administrator credentials on the scanner machine to install the
software and this administrator account should be a true administrator and
have ALL access rights to the machine including but not limited to Run as
Service, Install scheduled tasks, Access the network, RDP inbound.
5. The scanner machine should allow standard Windows Networking,
Administrative shares (ADMIN$ etc.) and RPC ports. Network Discovery and
Windows File sharing needs to be enabled on this machine. The NetBIOS ports
139 and 445 should be open on this machine. Port 745 should to be open on
this machine if CDD needs to be accessed remotely.

Installation
Double click on the EXE and provide credentials when asked. The package will
install web server, application, database server and scheduled task (cdd_Task).
Once installed the application can be accessed with a web browser
http://localhost:745/cdd/
Default user name: cdduser
Default password: cddpassword
Debug steps for installation issues:
1. Credentials not accepted
Please provide correct Administrative credentials. The installer checks the
credentials before it starts to install services and copy files
2. Apache service blocked
This may blocked by Windows firewall, UAC or any third party
antivirus/firewall. Please allow this service to be installed
3. Zend optimizer error on first logon
Please make sure no other Apache/PHP installation is present on the scanner
machine.
4. Windows task scheduler error

a. Please make sure the credentials provided at the installation time can
run and execute the CDD scheduled task
3

ControlCase

b. The above user has write permission on target folder where CDD is
chosen to be installed
c. CDD is not installed on any other operating system other than the
allowed platforms

Running a scan
There are 6 steps involved in configuring and running a CDD scan.
1. Configure scan - In this step user creates/edits the scans or adds/deletes the
scan items. User can add as many file system and database items as he want
in a single scan.
2. Validate Credentials - In this step the tool validates the various credentials
provided by the user and marks the process as pass or fail based on the
results. The processes which are marked as success will be considered for
running in next phase.
3. Running Tools - In this step tool invokes various executables required to scan
the database/file system for the cardholder/sensitive data.
4. Collect output/result files - In this step tool collects the output/result file
generated by the various executables and insert them into the database for
further processing.
5. Parse the output/result files In this step the tool parse the output file
generated as a result of the running the tool and populate the data in various
tables to generate the reports on the fly.
6. Generate reports In this step the tool generate the various PDF and Excel
reports and keep it ready for the user to download as zip. The reporting of
PDF and Excel file usually takes the time.

Scan

Pre-requisites

ControlCase Data Discovery utilizes native protocols, ports and access to perform
data discovery searches on remote systems. We neither use a custom protocol nor
custom ports to perform the scans.
We use regular Windows Networking for our Windows File System scans, SSH based
scans for Unix based (and MAC OS) scans and use regular client access protocols
and libraries for all Database scans.
The information below will help customers who work in excessively controlled
environments to troubleshoot why the scans fail.

Configure a scan
Users can add or modify the partially configured scan by clicking on New Scan
tab.

ControlCase

Configuring a scan requires a valid License. If you dont have valid license then you
will not be able to configure a new scan.
There are 2 different types of scans supported by CDD. In terms of Database
scanning both the scans are same but in terms of File System scanning they are
different.
1. Normal Scan In this type of scan tool detects 2 (Configurable item for support
user from settings tab) card data from each file.
2. Proximity Scan In this type of scan tool detects the chosen no of card data from
each file.
A scan can be schedule to run later. For more details please see the section
Scheduling a scan.
Following screenshots will explain how to configure a new scan. Enter a name (so
that you can distinguish between the scans) for the scan and click NEXT.

There are two types of scans:


File System Scans Used to scan hard drives on local and network
computers
Database Scans Used to scan databases

Windows Services required for CDD Scans


o
o
o
o
o
o
o
o
o
o
o

NetLogon
Network Store Interface Service
Remote Procedure Call (RPC)
RPC Endpoint Mapper
Server
Task Scheduler
TCP/IP NetBIOS Helper
User Profile Service
Workstation
DCOM Server Process Launcher
Computer Browser
5

ControlCase

Group Policy Client

ControlCase

Domain/Network Share

For Domain level scans (i.e. scan an entire domain from our scanner) we need an
account that has Domain Administrator level privileges. We will need the domain
name, username and password.
For Network share we require share name in UNC format, username and password.

Firewall Ports

TCP outbound AND inbound ports 139 or 445 from CDD Scanner to each Target and
back
(Windows NT/2000 may require ports 135-137 UDP too)

High Level Windows Settings required

File Sharing and Network Discovery enabled both on CDD Scanner machine and
Targets
Administrative shares such as ADMIN$, C$, D$ etc. need to be available both on
CDD Scanner machine and Targets
Any host based firewalls also need to allow Windows traffic
Windows Local or Domain Administrator both on CDD Scanner machine and Targets.
With every new version of Windows, it is getting harder to perform any of these
activities using a non-administrative account.
HIDS or Application Whitelisting Software need to whitelist our executables. The
current list and checksums can be obtained through support.

License usage

Only successful scan will count to license usage. For Network share its one scan per
one share. For Domain its one scan per one drive for one IP. If for one IP a drive
scan failed due to some reason it wont count to the license usage.

Debugging Steps

The scanner should be able to connect to the machines it is scanning (targets) using
regular Windows networking. Please ensure that this access is possible at the TCP/IP
and NetBIOS levels before we attempt scanning these machines with a scanner.
A good way to test this is to type the target machine name
\\target_machine_name\C$ in the Windows Run box. If that connects with the
provided credentials, we will be able to scan the machine.
The target machine should also be able to connect back to the scanner to return the
results of the scan. This connection is made over Windows (NetBIOS/SMB)
networking and using the credentials that CDD was installed with (or if they have
changed since then, the credentials in the Advanced -> Windows Account/User
Credentials screen). These same credentials are also used to execute the Windows
scheduled task named (cdd_Task).

ControlCase

A good way to test this is to type the scanner machine name


\\scanner_machine_name\C$ in the Windows Run box of the target machine and use
the credentials used in the CDD -> Advanced -> Windows Account/User Credentials
screen. If that connects with the provided credentials, we will be able to scan the
machine and return the results.
An antivirus/antimalware/application whitelisting or HIDS program on the target is
not letting our scan process execute. Please verify that such programs are not
interfering with our execution.
1. Not able to execute CCConn on remote machine
The scanner is not able to connect back to the CDD machine. Please ensure that the
credentials provided under the Windows Account/User credentials has the right to
connect back to CDD machine.
Also please make sure that there is no antivirus killing the process running on target
machine.
Please see the below screenshot for the reference.

The good way to test the reverse connectivity is, go to the target machine and
type \\Scanner_machine_ip\c$ in run window with admin credentials of scanner
machine (The same should be provided on above screenshot).
2. Failed (Host not reachable. Could not access remote machine.)
Please check the scan pre-requisites. The below quick steps will also help:
On the CDD and target machines:
Ports 139 and 445 should be open
Network Discovery and File sharing should be enabled
ADMIN$ share should be enabled on remote machine

ControlCase

If all the things are in please you will be able to run the following commands:
From CDD machine: net use \\<target IP> <domain user password>
/USER:<domain>\<user>
From target machine: net use \\<scanner machine IP> <scanner machine user
password> /USER:<scanner machine>\<user>
Also please send us the scan logs from the below location so that we can get more
information from it:
C:\cdd_apache2\htdocs\cdd\logs

UNIX (Linux, Solaris, HP, AIX, MAC OS etc.)

We support Apple MAC, UNIX /Linux, Free BSD, Solaris, Solaris SPARC, IBM AIX, HP
UX in this category.
For all above flavors the tool requires SSH to be enabled and access is available to
SSH.

Firewall Ports required

TCP 22 for UNIX based systems for SSH.

High Level OS Settings required

The user must have execute permission on /tmp/ folder on target machine. The
folder also must have execute capabilities. This can be ensured from /etc/fstab file
or simply by running mount on shell.
Our tool requires Glibc version 2.4 or above. Please run the below command from
console on target Linux machines to check the Glibc version:
ldd --version
While configuring a scan for Linux/Unix machine choose correct OS version:

Also please make sure distribution type of the machine by typing the below
command from console:
uname -a
This will return the OS distribution name along with the OS type.

License usage
Only successful scan will count to license usage. Its one scan per IP.

Debugging Steps
1. Please check whether the user has execute permission on /tmp/ folder on
target machine (s).
9

ControlCase

2. Please run the below command from console on target Linux machines to
check the Glibc version. Our tool requires Glibc version 2.4 or above.
3. ldd --version
4. You can copy the scan binary on the target machine manually and the
execute to check for additional error messages:
a. Copy CCSearch from
C:\cdd_apache2\htdocs\cdd\modules\configuration\ on CDD machine
_To_ /tmp/ directory on target machine
b. Open up a console on target Linux machine
c. Go to /tmp/ location: cd /tmp/
d. Make the binary executable: chmod +x CCSearch
e. Run the binary: ./CCSearch
f. Please replace the binary CCSearch as per the OS version described
below:
CCSearchA Searches IBM- AIX
CCSearchF Searches Free BSD
B
CCSearchH Searches HP- UX
CSearchM
Searches Apple MAC
CCSearchS Searches Solaris
S
Sparc
CCSearchS Searches Solaris X86
X
CCSearchX Searches Linux/Unix
CCSearchX Searches Linux/Unix
64
64 bit
5. Please ensure that tool have execute permission to the /tmp/ location

10

ControlCase

Database

Currently we support Oracle, SQL Server, MySQL, Sybase and Postgres SQL. Oracle
scan requires Instant client to be installed on the scanner machine. Details are
provided in Quick-start guide on how to obtain the instant client and install it.
Sybase scan requires client also. Sybase client needs to be acquired internally, its
not distributed.
For other databases no client is required.

Firewall Ports required

In case of default ports are used:

TCP
TCP
TCP
TCP

1433
1521
3306
4100

outbound to each SQL Server/Postgres database


outbound to each Oracle database
outbound to each MySQL database
or 7100 outbound to each Sybase database

If default ports are not used, please consult with your DBA to get the correct port
details.

High Level Database Settings required

For SQL Server scans, we will need the credentials (username, password) for an
account that has admin/sa level access to the database (needed for the Trial/POC. In
production, we can tweak and lower the access rights needed)
For Oracle scans, it is best to have an Oracle DBA available to provide you the
correct configuration settings to scan the database (including but not limited to
tnsnames files, service name etc.)
Please verify that you have the SQL Plus configuration working and you can connect
to the database you are trying to scan through SQL Plus first.
For Sybase scans, please verify that your Sybase client is working and you can
connect to the database using the Sybase client before you use CDD to scan the
database. Again it is best to have a DBA assist you in this process

License usage

The license usage schema is different for Oracle and Sybase than other databases.
For Oracle and Sybase the databases are identified by the service names. One
database server can contain multiple databases with different service names. For
each database one scan will be counted to the usage.
For SQL Server, MySQL and Postgres, one whole server will count to one license
usage. Please note that the server may contain multiple databases.

Debugging Steps

First test database connectivity from the scanner machine. Please see below
knowledgebase entry to confirm database connectivity:
https://help.controlcase.com/kb/testing-database-connectivity-using-odbc/
1. Oracle scans are failing:
11

ControlCase

Please check whether the instant client in installed properly. See below knowledge
base guide to do this:
https://help.controlcase.com/kb/oracle-instant-client-installer-post-installverification/
Please verify correct service names with your DBA.
2. SQL server scans are failing:
First verify that the SQL server can be connected from the scanner machine and
credentials, ports etc. are correct.
Check whether user can access Database Sate and Server State Views. If not,
please use below commands to provide the access:
GRANT VIEW DATABASE STATE TO <<login name>>
GRANT VIEW SERVER STATE TO <<login name>>
3. MySQL scans are failing:
First verify that the SQL server can be connected from the scanner machine and
credentials, ports etc. are correct.
Check with your DBA whether the user has permission to access the database
remotely and correct setting is done for this purpose in MySQL users table.

12

ControlCase

Other sensitive data


CDD tool can be used to scan other sensitive data. Some out of the box patterns are
already provided by default.

User can build their own search pattern to search for custom data.

Regular Expression search


User can built their own regular expression and pass it to CDD tool to perform
search based on that.

In the above example, Custom Regular Expression Search is selected from the
Title dropdown. This enables an extra text area where user can input the regular
expression. User must provide a tile for this custom regular expression. This will title
will appear on the scan report. User can choose to display all or some of the
characters in Display section.

13

ControlCase

Custom Word Search


We have introduced a custom word search feature that helps users avoid writing
complex regular expressions. In the scenario when users are looking for a particular
word or set of words, this feature comes very useful.
A set of words are already provided in the system by default. Please go to Settings
Custom Words to see the default words.

You can flush all these data and build your own set of words. Once the data is saved
here, these words will be available for searching.
While configuring a scan, please select Custom Words from Title dropdown.
Provide a custom title for the search. The words added in the above steps will be
available in the Custom Regular Expression text area.

14

ControlCase

If you add this record, the custom title will be added as a template and itll be
available in the Title dropdown for future scans.

If you want another template (set of words), please go back to Settings tab, add
another set of words. This will then appear under Custom Words title. Please
repeat the above procedure to add this a custom word template.

15