Documente Academic
Documente Profesional
Documente Cultură
Version 1.0
Sept 23, 2013
History Log
Version
Date
Author
September 23,
2013
Samir Mondal
ControlCase
Contents
Hardware Pre-requisites............................................................................................. 3
Installation.................................................................................................................. 3
Running a scan........................................................................................................... 4
Scan Pre-requisites.................................................................................................. 4
Configure a scan..................................................................................................... 4
Windows Services required for CDD Scans...........................................................5
Domain/Network Share........................................................................................... 6
Firewall Ports........................................................................................................ 6
High Level Windows Settings required.................................................................6
License usage...................................................................................................... 6
Debugging Steps.................................................................................................. 6
UNIX (Linux, Solaris, HP, AIX, MAC OS etc.).............................................................8
Firewall Ports required.......................................................................................... 8
High Level OS Settings required...........................................................................8
License usage...................................................................................................... 8
Debugging Steps.................................................................................................. 8
Database............................................................................................................... 10
Firewall Ports required........................................................................................ 10
High Level Database Settings required..............................................................10
License usage.................................................................................................... 10
Debugging Steps................................................................................................ 10
Other sensitive data................................................................................................. 12
Regular Expression search.................................................................................... 12
Custom Word Search............................................................................................. 13
ControlCase
Hardware Pre-requisites
1. The CDD Installation machine (scanner machine) needs to be a brand new
install of Windows 2008 R2 or Windows 7 Enterprise.
2. Windows Operating system should be in the English language (other
languages are not supported at this time).
3. The scanner machine should be a 1 or 2 core 2.4 GHz CPU or better with at
least 200GB disk space free and 4 GB RAM. If Windows can run well on the
hardware, so can CDD.
4. We need administrator credentials on the scanner machine to install the
software and this administrator account should be a true administrator and
have ALL access rights to the machine including but not limited to Run as
Service, Install scheduled tasks, Access the network, RDP inbound.
5. The scanner machine should allow standard Windows Networking,
Administrative shares (ADMIN$ etc.) and RPC ports. Network Discovery and
Windows File sharing needs to be enabled on this machine. The NetBIOS ports
139 and 445 should be open on this machine. Port 745 should to be open on
this machine if CDD needs to be accessed remotely.
Installation
Double click on the EXE and provide credentials when asked. The package will
install web server, application, database server and scheduled task (cdd_Task).
Once installed the application can be accessed with a web browser
http://localhost:745/cdd/
Default user name: cdduser
Default password: cddpassword
Debug steps for installation issues:
1. Credentials not accepted
Please provide correct Administrative credentials. The installer checks the
credentials before it starts to install services and copy files
2. Apache service blocked
This may blocked by Windows firewall, UAC or any third party
antivirus/firewall. Please allow this service to be installed
3. Zend optimizer error on first logon
Please make sure no other Apache/PHP installation is present on the scanner
machine.
4. Windows task scheduler error
a. Please make sure the credentials provided at the installation time can
run and execute the CDD scheduled task
3
ControlCase
b. The above user has write permission on target folder where CDD is
chosen to be installed
c. CDD is not installed on any other operating system other than the
allowed platforms
Running a scan
There are 6 steps involved in configuring and running a CDD scan.
1. Configure scan - In this step user creates/edits the scans or adds/deletes the
scan items. User can add as many file system and database items as he want
in a single scan.
2. Validate Credentials - In this step the tool validates the various credentials
provided by the user and marks the process as pass or fail based on the
results. The processes which are marked as success will be considered for
running in next phase.
3. Running Tools - In this step tool invokes various executables required to scan
the database/file system for the cardholder/sensitive data.
4. Collect output/result files - In this step tool collects the output/result file
generated by the various executables and insert them into the database for
further processing.
5. Parse the output/result files In this step the tool parse the output file
generated as a result of the running the tool and populate the data in various
tables to generate the reports on the fly.
6. Generate reports In this step the tool generate the various PDF and Excel
reports and keep it ready for the user to download as zip. The reporting of
PDF and Excel file usually takes the time.
Scan
Pre-requisites
ControlCase Data Discovery utilizes native protocols, ports and access to perform
data discovery searches on remote systems. We neither use a custom protocol nor
custom ports to perform the scans.
We use regular Windows Networking for our Windows File System scans, SSH based
scans for Unix based (and MAC OS) scans and use regular client access protocols
and libraries for all Database scans.
The information below will help customers who work in excessively controlled
environments to troubleshoot why the scans fail.
Configure a scan
Users can add or modify the partially configured scan by clicking on New Scan
tab.
ControlCase
Configuring a scan requires a valid License. If you dont have valid license then you
will not be able to configure a new scan.
There are 2 different types of scans supported by CDD. In terms of Database
scanning both the scans are same but in terms of File System scanning they are
different.
1. Normal Scan In this type of scan tool detects 2 (Configurable item for support
user from settings tab) card data from each file.
2. Proximity Scan In this type of scan tool detects the chosen no of card data from
each file.
A scan can be schedule to run later. For more details please see the section
Scheduling a scan.
Following screenshots will explain how to configure a new scan. Enter a name (so
that you can distinguish between the scans) for the scan and click NEXT.
NetLogon
Network Store Interface Service
Remote Procedure Call (RPC)
RPC Endpoint Mapper
Server
Task Scheduler
TCP/IP NetBIOS Helper
User Profile Service
Workstation
DCOM Server Process Launcher
Computer Browser
5
ControlCase
ControlCase
Domain/Network Share
For Domain level scans (i.e. scan an entire domain from our scanner) we need an
account that has Domain Administrator level privileges. We will need the domain
name, username and password.
For Network share we require share name in UNC format, username and password.
Firewall Ports
TCP outbound AND inbound ports 139 or 445 from CDD Scanner to each Target and
back
(Windows NT/2000 may require ports 135-137 UDP too)
File Sharing and Network Discovery enabled both on CDD Scanner machine and
Targets
Administrative shares such as ADMIN$, C$, D$ etc. need to be available both on
CDD Scanner machine and Targets
Any host based firewalls also need to allow Windows traffic
Windows Local or Domain Administrator both on CDD Scanner machine and Targets.
With every new version of Windows, it is getting harder to perform any of these
activities using a non-administrative account.
HIDS or Application Whitelisting Software need to whitelist our executables. The
current list and checksums can be obtained through support.
License usage
Only successful scan will count to license usage. For Network share its one scan per
one share. For Domain its one scan per one drive for one IP. If for one IP a drive
scan failed due to some reason it wont count to the license usage.
Debugging Steps
The scanner should be able to connect to the machines it is scanning (targets) using
regular Windows networking. Please ensure that this access is possible at the TCP/IP
and NetBIOS levels before we attempt scanning these machines with a scanner.
A good way to test this is to type the target machine name
\\target_machine_name\C$ in the Windows Run box. If that connects with the
provided credentials, we will be able to scan the machine.
The target machine should also be able to connect back to the scanner to return the
results of the scan. This connection is made over Windows (NetBIOS/SMB)
networking and using the credentials that CDD was installed with (or if they have
changed since then, the credentials in the Advanced -> Windows Account/User
Credentials screen). These same credentials are also used to execute the Windows
scheduled task named (cdd_Task).
ControlCase
The good way to test the reverse connectivity is, go to the target machine and
type \\Scanner_machine_ip\c$ in run window with admin credentials of scanner
machine (The same should be provided on above screenshot).
2. Failed (Host not reachable. Could not access remote machine.)
Please check the scan pre-requisites. The below quick steps will also help:
On the CDD and target machines:
Ports 139 and 445 should be open
Network Discovery and File sharing should be enabled
ADMIN$ share should be enabled on remote machine
ControlCase
If all the things are in please you will be able to run the following commands:
From CDD machine: net use \\<target IP> <domain user password>
/USER:<domain>\<user>
From target machine: net use \\<scanner machine IP> <scanner machine user
password> /USER:<scanner machine>\<user>
Also please send us the scan logs from the below location so that we can get more
information from it:
C:\cdd_apache2\htdocs\cdd\logs
We support Apple MAC, UNIX /Linux, Free BSD, Solaris, Solaris SPARC, IBM AIX, HP
UX in this category.
For all above flavors the tool requires SSH to be enabled and access is available to
SSH.
The user must have execute permission on /tmp/ folder on target machine. The
folder also must have execute capabilities. This can be ensured from /etc/fstab file
or simply by running mount on shell.
Our tool requires Glibc version 2.4 or above. Please run the below command from
console on target Linux machines to check the Glibc version:
ldd --version
While configuring a scan for Linux/Unix machine choose correct OS version:
Also please make sure distribution type of the machine by typing the below
command from console:
uname -a
This will return the OS distribution name along with the OS type.
License usage
Only successful scan will count to license usage. Its one scan per IP.
Debugging Steps
1. Please check whether the user has execute permission on /tmp/ folder on
target machine (s).
9
ControlCase
2. Please run the below command from console on target Linux machines to
check the Glibc version. Our tool requires Glibc version 2.4 or above.
3. ldd --version
4. You can copy the scan binary on the target machine manually and the
execute to check for additional error messages:
a. Copy CCSearch from
C:\cdd_apache2\htdocs\cdd\modules\configuration\ on CDD machine
_To_ /tmp/ directory on target machine
b. Open up a console on target Linux machine
c. Go to /tmp/ location: cd /tmp/
d. Make the binary executable: chmod +x CCSearch
e. Run the binary: ./CCSearch
f. Please replace the binary CCSearch as per the OS version described
below:
CCSearchA Searches IBM- AIX
CCSearchF Searches Free BSD
B
CCSearchH Searches HP- UX
CSearchM
Searches Apple MAC
CCSearchS Searches Solaris
S
Sparc
CCSearchS Searches Solaris X86
X
CCSearchX Searches Linux/Unix
CCSearchX Searches Linux/Unix
64
64 bit
5. Please ensure that tool have execute permission to the /tmp/ location
10
ControlCase
Database
Currently we support Oracle, SQL Server, MySQL, Sybase and Postgres SQL. Oracle
scan requires Instant client to be installed on the scanner machine. Details are
provided in Quick-start guide on how to obtain the instant client and install it.
Sybase scan requires client also. Sybase client needs to be acquired internally, its
not distributed.
For other databases no client is required.
TCP
TCP
TCP
TCP
1433
1521
3306
4100
If default ports are not used, please consult with your DBA to get the correct port
details.
For SQL Server scans, we will need the credentials (username, password) for an
account that has admin/sa level access to the database (needed for the Trial/POC. In
production, we can tweak and lower the access rights needed)
For Oracle scans, it is best to have an Oracle DBA available to provide you the
correct configuration settings to scan the database (including but not limited to
tnsnames files, service name etc.)
Please verify that you have the SQL Plus configuration working and you can connect
to the database you are trying to scan through SQL Plus first.
For Sybase scans, please verify that your Sybase client is working and you can
connect to the database using the Sybase client before you use CDD to scan the
database. Again it is best to have a DBA assist you in this process
License usage
The license usage schema is different for Oracle and Sybase than other databases.
For Oracle and Sybase the databases are identified by the service names. One
database server can contain multiple databases with different service names. For
each database one scan will be counted to the usage.
For SQL Server, MySQL and Postgres, one whole server will count to one license
usage. Please note that the server may contain multiple databases.
Debugging Steps
First test database connectivity from the scanner machine. Please see below
knowledgebase entry to confirm database connectivity:
https://help.controlcase.com/kb/testing-database-connectivity-using-odbc/
1. Oracle scans are failing:
11
ControlCase
Please check whether the instant client in installed properly. See below knowledge
base guide to do this:
https://help.controlcase.com/kb/oracle-instant-client-installer-post-installverification/
Please verify correct service names with your DBA.
2. SQL server scans are failing:
First verify that the SQL server can be connected from the scanner machine and
credentials, ports etc. are correct.
Check whether user can access Database Sate and Server State Views. If not,
please use below commands to provide the access:
GRANT VIEW DATABASE STATE TO <<login name>>
GRANT VIEW SERVER STATE TO <<login name>>
3. MySQL scans are failing:
First verify that the SQL server can be connected from the scanner machine and
credentials, ports etc. are correct.
Check with your DBA whether the user has permission to access the database
remotely and correct setting is done for this purpose in MySQL users table.
12
ControlCase
User can build their own search pattern to search for custom data.
In the above example, Custom Regular Expression Search is selected from the
Title dropdown. This enables an extra text area where user can input the regular
expression. User must provide a tile for this custom regular expression. This will title
will appear on the scan report. User can choose to display all or some of the
characters in Display section.
13
ControlCase
You can flush all these data and build your own set of words. Once the data is saved
here, these words will be available for searching.
While configuring a scan, please select Custom Words from Title dropdown.
Provide a custom title for the search. The words added in the above steps will be
available in the Custom Regular Expression text area.
14
ControlCase
If you add this record, the custom title will be added as a template and itll be
available in the Title dropdown for future scans.
If you want another template (set of words), please go back to Settings tab, add
another set of words. This will then appear under Custom Words title. Please
repeat the above procedure to add this a custom word template.
15