Transcription of AppDetectivePro User's Guide - AppSecInc is now …
1 AppDetectivePro GuideLast Modified February 2, 2011 Application Security, Application Security, Basics 5 What is AppDetectivePro ? 5 Viewing Your Version of AppDetectivePro 6 Minimum System Requirements 6 AppDetectivePro Tasks 13 Customer Support 15 Licensing 16 What is the License File? 16 Licensing FAQ 16 Installation 19 Installing and Configuring AppDetectivePro and SHATTER Knowledgebase Com-ponents 19 Getting Started 42 Understanding the AppDetectivePro Graphical user Interface (GUI) 42 Navigating the Toolbar 43 Navigating Page Views 44 Navigating Menus 46 Application Security, and Maintenance 51 Performing an ASAP Update 51 Uninstalling AppDetectivePro (and the Database and SHATTER Knowledgebase Components), and Deleting the AppDetectivePro Back-End Database 56 AppDetectivePro Tasks 57 Sessions 57 Discovery 66 Policies 76 Pen Tests, Audits, and user Rights Reviews 102 Interviews, Questionnaires, and Work Plans 137 Reports 191 Edit and Tools Menu Tasks 219 Job Scheduler 235 Vulnerability Manager 246 user -Defined Checks 252 Fix Scripts 266 Viewing SCAP Information 268 Appendices 270 Appendix A: Command Line Reference 271 Appendix B: Viewing Check Descriptions 293 Appendix C: Troubleshooting 294 Appendix D: Using Default and Custom Dictionaries 297 Appendix E: Using NMAP 302 Appendix F: Clearing Sybase Application Logs 307 Application Security, G: Audit and user Rights Review Privileges 307 Appendix H: Using microsoft SQL Server with AppDetectivePro 361 Appendix I.
2 Enabling SSL Encryption on AppDetectivePro 363 Appendix J: Default Ports 364 Appendix K: Fix Scripts (Detail) 366 Appendix L: Check Point Logging Properties Installation 407 Appendix M: Customizing Reports with Your Company Logo 413 Appendix N: Integrating a Custom Dictionary to Uncover Easily-Guessed Pass-words 414 Appendix O: Oracle Critical Patch Update Detection 418 Appendix P: Migrating Your Back-End Database 423 Appendix Q: Understanding System Auditing 424 Appendix R: Updating Your Back-End Database from microsoft SQL Server 2000 to microsoft SQL Server 2005 or microsoft SQL Server 2008 426 Appendix S: Dynamic Shell Prompt Handling 428 Appendix T: AppDetectivePro Application Log Files and Installation/Upgrade Log Files 429 Appendix U: Open Ports (on Computers Running microsoft SQL Server) Required to Run Discoveries, Pen Tests, and Audits 432 Appendix V: Uploading Comma-Delimited Text Files, CSV Files, or NMAP Files Containing IP Addresses (or IP Addresses and Ports) to Discover 433 Chapter 1 AppDetectivePro BasicsThis section consists of the following topics: What is AppDetectivePro ?
3 Viewing Your Version of AppDetectivePro Minimum System Requirements AppDetectivePro Tasks Customer SupportWhat is AppDetectivePro ? AppDetectivePro is a network based vulnerability assessment tool that rates the security strength of applications within your network. Armed with a revolutionary security methodology, together with an extensive knowledge base of application vulnerabilities, AppDetectivePro locates, examines, reports, and helps you fix security holes and mis helps you identify vulnerable applications residing upon your network, defines security holes on the applications, then helps you fix them. It has features designed to help you secure your applications, including: application detection and Pen Testing methodology/tactics non intrusive application Denial of Service attack simulations and in depth agent less Audits automated inventory, information gathering, and analysis features reporting facilities to communicate application vulnerabilities and security holes for yourself, colleagues, and others up, down, and across your organization complimentary and compatible to existing security solutions an extensive and continuously updated library of vulnerabilities and identifying all specified applications residing upon your network via performing a Discovery, you can Pen Test or Audit your applications for security holes.
4 All Pen Tests are associated with Policies. You can add new Policies designed to reflect the level of security appropriate for your corporate network. Once you have Application Security, Your Version of AppDetectiveProperformed a Discovery and Pen Tests, the Report Wizard allows you to report your results in a formatted layout. (You can include your company name and logo.)Viewing Your Version of AppDetectiveProTo view your version of AppDetectivePro , Choose Help > About AppDetectivePro . The About AppDetectivePro pop up shows your version System RequirementsThis topic consists of the following sub topics: AppDetectivePro Client Requirements Additional Requirements Supported PlatformsApplication Security, System RequirementsAppDetectivePro Client RequirementsThe following table lists AppDetectivePro client requirements: System RequirementMinimumOperating System microsoft Windows XP Professional SP2 or greater microsoft Windows Server 2003 Standard Edition microsoft Windows Server 2003 Enterprise Edition microsoft Windows Server 2003 Enterprise x64 microsoft Windows 7 microsoft VistaTo install (or ASAP Update to) AppDetectivePro or greater on microsoft Windows Server 2003 Enterprise x64, you must install Framework Version (x64).
5 WinPcap is only required if a non administrative user will be using AppDetectivePro or if you are installing AppDetectivePro on Win dows Vista. In the latter case, WinPcap is required even if the user belongs to the Administrators group, because the user Access Con trol the security concept introduced in Windows Vista requires the privileges to be explicitly Explorer 6 or install AppDetectivePro , perform an ASAP Update, and run a Discovery, you must have Administrative privileges on Win MHz or 1 GHz MB (1 GB recommended).Hard DriveAppDetectivePro requires a minimum 200 MB of free disk space, with additional space required to store vulnerability information. Program Files drive AppDetectivePro requires 402MB of available space on the Pro-gram Files connection to the Security, System RequirementsBack End Database microsoft SQL Server 2000 SP4 microsoft SQL Server 2005 microsoft SQL Server 2005 Express Edition microsoft SQL Server 2008 microsoft SQL Server 2008 Express EditionFor more information, see Appendix H: Using microsoft SQL Server with SQL Server Desktop Engine2000 SP4 (MSDE) sup ports a database size up to 2 GB.
6 microsoft SQL Server 2005 and 2008 Express Edition support a database size up to 4 GB. If your back end database grows beyond these limits, clean out old data, or upgrade your to full version of microsoft SQL can download MSDE 2000 SP4 from the microsoft website for free at you want to update your back end database from microsoft SQL Server 2000 to microsoft SQL Server 2005 or microsoft SQL Server 2008, see Appendix R: Updating Your Back End Data base from microsoft SQL Server 2000 to microsoft SQL Server 2005 or microsoft SQL Server RequirementMinimumApplication Security, System RequirementsAdditional Requirements microsoft .NET Framework Requirement on microsoft Windows Server 2003 Enterprise x64. If you want to install (or ASAP Update to) AppDetectivePro or greater on microsoft Windows Server 2003 Enterprise x64, you must install microsoft .
7 NET Framework Version (x64).In order to run AppDetectivePro , you must have the permission Full Control on the following items: The directory to which you installed AppDetectivePro . The registry key HKEY_LOCAL_MACHINE\SOFTWARE\ODBC and all sub keys Com ponentsWhen you install AppDetectivePro , the installer checks for the following prerequisite components. microsoft XML Core Services SP2 microsoft .NET Framework SP1 (x86). Note that x86 will read x64 if you are installing AppDetectivePro on a 64 bit host machine. microsoft Visual Studio 2005 C++ Redistributable (x86) SQL Server 2005 Backwards Compatibility (x86) Backend Installer Component Database Component WinPcap. Note that WinPcap is only required if a non admin user is going to use AppDetectivePro or if you are installing AppDetectivePro on Windows Vista.
8 In the latter case, WinPcap is required even if the user belongs to the Administrators group because the UAC ( user Access Control), the security concept introduced in Windows Vista, requires the privileges to be explicitly any of these prerequisite components are missing, the App DetectivePro installer automatically installs them. For more information, see Installing and Configuring AppDetectivePro and SHATTER Knowledgebase RequirementMinimumApplication Security, System RequirementsSupported PlatformsThe following table lists AppDetectivePro supported Appendix O: Oracle Critical Patch Update Detection for a listing of all OS specific, required Audit privileges. PlatformMinimumAppDetectivePro for Oracle Target Database ServersOracle 11gR2, Oracle 11gR1, Oracle 10g, Oracle9i, and can perform user Rights Reviews against Discovered Oracle 8i 11g databases.
9 For more information, see Pen Tests, Audits, and user Rights Security, Inc. recommends that you disable in order to Audit an Oracle target data base. However, if you Audit an Oracle 10gR2 target with enabled, and include the AppDetective host s IP address in the list, the Audit will work. Oracle reference: for microsoft SQL Server Target Database ServersMicrosoft SQL Server Versions 2000, 2005, 2005 Express Edi tion, and 2008. MSDE 2000 SP4. Note that you can perform user Rights Reviews against Discovered microsoft SQL Server 2000, microsoft SQL Server 2005, and microsoft SQL Server 2008 databases. For more information, see Pen Tests, Audits, and user Rights Reviews. In order to run a Discovery, Pen Test, or Audit against a microsoft SQL Server database, certain ports on the machine running microsoft SQL Server must be open.
10 For more information, see Appendix U: Open Ports (on Computers Running microsoft SQL Server) Required to Run Discoveries, Pen Tests, and Security, System RequirementsAppDetectivePro for Lotus Dom ino Target ServersLotus Domino , , , , and Note that AppDetec tivePro performs Audits (but not Pen Tests) against Domino Groupware (Notes). AppDetectivePro performs Pen Tests (but not Audits) against Domino order to run AppDetectivePro s Lotus Domino features, you must have the Lotus Notes Client installed on your system. AppDetectivePro needs a valid .id file and password to func tion properly. If you are already a Lotus Notes user , you do not need to reload your Lotus Notes client. For more informa tion, see Lotus Notes Client Driver Security, System RequirementsAppDetectivePro for Sybase Target DataserversSybase , , , , 15, and issue exists with the Sybase Adaptive Server Enterprise ODBC driver that results in an AppDetectivePro connection failure when a Sybase ODBC driver is installed.
