Scanning Strategies and Best Practices Training Labs
Scanning Strategies and Best Practices Training Labs
Scanning Strategies and Best Practices Training Labs
Training Labs
1
Table of Contents
LAB 1: ACCOUNT ACTIVATION AND SETUP (15 MIN.) ............................................................... 3
LOGIN TO QUALYS ..................................................................................................................................................... 3
UPDATE USER PROFILE ............................................................................................................................................ 7
General Information ............................................................................................................................................ 7
User Role ................................................................................................................................................................... 8
Notification Options ............................................................................................................................................. 8
ACCOUNT SETTINGS .................................................................................................................................................. 9
ADD HOSTS ASSETS .................................................................................................................................................. 9
LAUNCH INITIAL SCAN .......................................................................................................................................... 11
CREATE ASSET GROUP .......................................................................................................................................... 13
AG: San Jose .......................................................................................................................................................... 13
IMPORT SEARCH LISTS .......................................................................................................................................... 14
LAB 2: OPTION PROFILE (10 MIN.) ....................................................................................................... 15
CREATE NEW OPTION PROFILE ........................................................................................................................... 15
ADDITIONAL SCANNING OPTIONS ....................................................................................................................... 17
Host Discovery ..................................................................................................................................................... 17
Blocked Resources ............................................................................................................................................. 17
Packet Options .................................................................................................................................................... 17
LAB 3: AUTHENTICATION AND HOST TRACKING (10 MIN.) ............................................................. 18
ENABLE AGENTLESS TRACKING .......................................................................................................................... 18
CREATE UNIX AUTHENTICATION RECORD ........................................................................................................ 19
CREATE WINDOWS AUTHENTICATION RECORD .............................................................................................. 22
LAUNCH AN AUTHENTICATED SCAN .................................................................................................................... 24
LAB 4: ANALYZING SCAN RESULTS (15 MIN.) ............................................................................. 25
AUTHENTICATION VERIFICATION ....................................................................................................................... 25
CREATE CUSTOM SCAN ANALYSIS SEARCH LIST .............................................................................................. 26
CREATE SCAN ANALYSIS REPORT ....................................................................................................................... 27
Report Qualys Host ID ...................................................................................................................................... 31
LAB 5: BASIC SCANNING APPROACHES (15 MIN.) ............................................................................. 34
CERTIFICATION/ACCREDITATION SCAN ............................................................................................................ 34
DISCOVERY/INVENTORY SCAN ............................................................................................................................ 37
ASSESSMENT SCAN ................................................................................................................................................. 39
LAB 6: SCANNING CLOUD AGENT HOSTS (10 MIN.) .......................................................................... 40
CREATE SEARCH LIST ............................................................................................................................................ 40
CREATE OPTION PROFILE ..................................................................................................................................... 41
LAB 7: SCAN DELEGATION (15 MIN.) ................................................................................................... 42
Create New User Account ............................................................................................................................... 42
Launch Vulnerability Scan ............................................................................................................................. 43
2
LAB 1: Account Activation and Setup (15 min.)
This lab will address a few steps needed to setup your Qualys student lab account.
These steps will make it possible to complete the remaining lab exercises in this
document.
Login to Qualys
Student account credentials for Self-Paced training classes are automatically generated
and sent to your email inbox, within 2 business days (please enroll with your business or
company email address…public email domains are not supported).
Student account credentials for Instructor-Led training classes are provided by the
Qualys class instructor.
Your student trial account must be activated within 14 days of receipt and will remain
active for 30 days from the activation date. Please contact [email protected] with
account credential issues or questions.
3
2. Record the USERNAME from this document and save it in a secure place.
**The period at the end of the sentence is NOT a part of the USERNAME.
3. To obtain the password, click the link found in the registration document.
4. On the activation page, enter the OTP code found from the registration
document and click Submit (If it’s been over 30 minutes since you received the
registration document, the OTP code will not work; use the Resend button to
generate a new OTP code.
For security, the Login username on this page appears partially obfuscated with ******.
4
5. Record the PASSWORD from this document and save it in a secure place.
6. Use the link provided to login and activate your Qualys student trial account.
NOTE: All the student accounts are located on the following Qualys Cloud
Platform. It is recommended to bookmark the following URL in your web browser
for the ease of access.
USPOD 3 - https://qualysguard.qg3.apps.qualys.com/
7. Scroll to the bottom and select the checkbox to accept the “Service User
Agreement” and click the “I Agree” button.
5
8. Enter your current password, and then chose a new password (record your new
password).
9. Click the “Save” button, followed by the “Close” button.
10. Log back in to your student trial account using your new credentials.
6
Update User Profile
The steps that follow will help you personalize your student user account, and make
other adjustments that will provide a more effective training environment.
1. Click on your User ID (located between “Help” and “Logout”) and select the
“User Profile” option.
General Information
Make any necessary adjustments to the “General Information” section of your user
profile.
2. Update the “E-mail Address” field with your current e-mail address
(notifications and password reset information will be sent to the address you
provide).
7
User Role
Different Qualys user accounts, take on different user roles.
3. Click “User Role” in the navigation pane (left) and make note that your student
account user role is: Manager, and you can access your account using the
Graphical User Interface (GUI) or the Application Program Interface (API).
Notification Options
All notifications will be sent to the e-mail address specified in the “General Information”
section.
4. Click “Options” in the navigation pane (left) and make the appropriate selections
for the type of notifications you would like to receive.
8
Account Settings
Changes made to account settings will affect all user accounts in your Qualys
subscription.
1. Click on your User ID (located between “Help” and “Logout”) and select the
“Account Settings” option.
9
1. Navigate to A) the “Assets” section. Click B) the “Host Assets” tab. Click the
“New” button and select C) the “IP Tracked Hosts” option.
2. Click “Host IPs” in the navigation pane (left) and enter the following IP address
range: 64.41.200.243-64.41.200.250 (8 IPs).
3. Click the “Add” button, followed by “Apply”.
10
Launch Initial Scan
IPs that you add to the “Host Assets” tab are “Scannable” and may be used as targets in
any vulnerability scan.
1. From the “Host Assets” tab, use the “Quick Actions” menu to select the
“Launch Scan” option.
11
4. Verify the IP addresses targeted and click the “Launch” button.
5. Click the “Close” button, when the “Scan Status” window appears.
6. To monitor the progress of your scan, navigate to the “Scans” section, and click
the “Scans” tab.
You may proceed to the next topic, while your initial vulnerability scan runs.
12
Create Asset Group
Asset Groups are common targets for scanning and reporting and are used to assign
host access privileges to Qualys user accounts.
5. Verify that you now have “AG: San Jose” in your account.
13
Import Search Lists
A Qualys “Search List” can contain any number of QIDs from the Qualys KnowledgeBase.
In this lab, you will use Search Lists to perform scan analysis on specific QIDs.
2. Select the “top” check box to select all available Search Lists, and then click the
“Import” button.
3. Type “SSBP Custom Profile” in the “Title” field and click “Scan” in the
navigation pane (left).
4. Leave the TCP and UDP ports set to the “Standard Scan” option.
The “Standard Scan” option (about 1900 TCP and 180 UDP ports) provides a good
balance between port coverage and scan performance.
15
5. Scroll-down to “Vulnerability Detection” and verify the “Complete” radio
button is selected.
As its name implies, the “Complete” option encompasses all QIDs in the Qualys
KnowledgeBase. Qualys recommends performing “complete” scans, whenever
you scan. The goal is to scan for everything and then use reports, dashboards
and filtering tools to focus on specific or targeted groups of vulnerabilities.
6. Scroll down to the “Authentication” section and select the check boxes for
both Window and Unix authentication.
The configuration settings you have made thus far, will serve the foundation for
the lab exercises that follow. A complete discussion of all “Scanning Options” can
be found in the “Scanning Strategies and Best Practices” slideshow presentation.
7. Scroll down to the bottom of the Option Profile and click the “Save” button.
16
Additional Scanning Options
The “Additional” section of an Option Profile provides configuration options for Host
Discovery, Blocked Resources and Packet Options.
Host Discovery
Host LIVE/DEAD status is determined by the “Host Discovery” module, using a
combination of probes, including: TCP, UDP and ICMP.
Qualys recommends keeping the default settings which allow for the discovery of a
variety of device types, and then specifying additional TCP ports that will potentially
help to discover more assets.
During host discovery, in addition to the TCP SYN packets that are sent to targeted
ports, the service also sends:
• TCP ACK packet with a source port of 80 and a destination port of 2869
• TCP ACK packet with a source port of 25 and a destination port of 12531
• TCP SYN+ACK packet with a source port of 80 and a destination port of 41641
If you don't want these packets sent, select the "Do not send TCP ACK or SYN-ACK
packets during host discovery" check box under Packet Options (discussed below).
Blocked Resources
If a Qualys Scanner Appliance triggers your IDS/IPS, it will likely be blacklisted,
preventing further vulnerability testing on your network.
The “Blocked Resources” options allows you to specify which IPs and/or ports you would
like to avoid or protect, during a scan. Qualys Scanner Appliances will not target the
resources you specify.
Packet Options
Some filtering devices, such as firewalls, may cause a host to appear "LIVE" when it isn't,
by responding to scanner probes on behalf of the targeted host.
Enabling the top three “Packet Options” will help to keep these “ghost” IPs from
appearing in your scan results and reports.
The last option will prevent the Qualys Scanner Appliance from sending TCP ACK or SYN-
ACK packets during host discovery.
17
LAB 3: Authentication and Host Tracking (10 min.)
Enable “Agentless Tracking” for all “scannable” host assets, then create Unix and
Windows authentication records that use the “Agentless Tracking” option.
3. Select the “Accept Agentless Tracking Identifier” radio button and click Save.
Once a “Manager” user has accepted the Agentless Tracking Identifier, it can be
enabled in both Windows and Unix authentication records, to control the
distribution of the Qualys Host ID.
18
Create Unix Authentication Record
Create a Unix authentication record, enable Root Delegation, and configure Agentless
Tracking.
1. Navigate to the “Scans” section and select the “Authentication” tab.
2. Click the “New” button and select “Unix Record”.
3. Type “qscanner with sudo” in the “Title” field.
4. Click “Login Credentials” in the navigation pane, and enter the following
credentials:
Username: qscanner
Password: abc1234!
5. Select “Root Delegation” in the navigation pane and click the “Add Root
Delegation” button.
19
6. Use the “Root Delegation” drop-down menu to select the “Sudo” option and
enter qscanner’s password (abc1234!) in the “Password” field.
7. Click “Save”.
20
10. Click “IPs” in the navigation pane and type the following IP addresses in the
“IPs” field: 64.41.200.243-64.41.200.245,64.41.200.250.
11. Click the “Create” button.
21
Create Windows Authentication Record
Create a Windows authentication record using a “Domain Admin” account, and
configure Agentless Tracking.
1. Navigate to the “Scans” section, and click the “Authentication” tab.
2. From the Authentication tab, click the “New” button and select “Windows
Record…”
3. Type “qscanner as Domain Admin” in the “Title” field.
4. Click “Login Credentials” in the navigation pane and ensure the “Domain” radio
button is selected (under Windows Authentication).
5. Select “Active Directory” using the “Domain Type” drop-down menu.
6. Type “trn.qualys.com” (omit quotes) in the “Domain name” field.
22
8. Select the “Enable agentless tracking” checkbox and click the “Save” button.
NOTE: The “Domain Admin” authentication record just created does not require
you to identify specific IP addresses.
BEST PRACTICE: Use “Active Directory” or “NetBIOS Service-Selected IPs” domain
type, to avoid maintaining and updating IP addresses.
23
Launch an authenticated scan
This scan will target all assets in the “AG: San Jose” Asset Group.
1. Go to the “Scans” tab.
2. Click the “New” button and select “Scan”.
5. Use the “Asset Groups” drop-down menu to select “AG: San Jose” as your scan
target.
6. Click the “Launch” button, followed by the “Close” button.
24
LAB 4: Analyzing Scan Results (15 min.)
Analyze your scan results using some QIDs and Search Lists that are useful for analyzing
authentication and scan performance.
Authentication Verification
Create an Authentication Report to verify scanner appliance authentication results
(PASS or FAIL) and troubleshoot authentication issues.
Best Practice - Run this report frequently to address authentication issues.
25
Create Custom Scan Analysis Search List
Create a “static” Search List of QIDs that will assist you in analyzing your scan results and
performance.
1. Navigate to the “Search Lists” tab, click the “New” button, and select the
“Static List…” option.
2. Type “Custom Scan Analysis” in the “Title” field.
3. Click “QIDs” in the navigation pane (left) and click the “Manual” button.
4. Enter the following list of QIDs into the “QIDs” field:
6,45017,45038,45179,45180,82004,82023,90194,90195
6. Take a moment to review the QID titles, and then click the “Save” button.
Your custom Search List contains Information Gathered QIDs, exclusively.
Information Gathered QIDs are used to collect host inventory data, such as
system and network information, as well as scan performance information.
26
Create Scan Analysis Report
Create a custom Scan Report Template that filters your scan results using the Search List
you just created.
4. Click “Findings” in the navigation pane (left) and select the “Scan Based
Findings” radio button.
The “Scan Based Findings” option will prompt you to select a specific, finished
scan, when you run a report using this template.
27
5. Click “Display” in the navigation pane (left).
6. Scroll down to the “Detailed Results” section and select the “Vulnerability
Details” and “Results” check boxes.
The “Results” option is required to display Information Gathered QIDs.
28
7. Click “Filter” in the navigation pane (left).
8. Under the “Selective Vulnerability Reporting” section, select the “Custom”
radio button and use the “Add List” button to add the following Search Lists:
□ Custom Scan Analysis
□ Windows Authentication Results v.1 (import from Search List Library)
□ Unix Authentication Results v.1 (import from Search List Library)
Depending on your display settings, you may need to advance to the next page of
the “Search Lists” window to find Windows and Unix authentication results.
9. Click the “OK” button to save your selections.
29
10. Scroll down to the “State” section and replace the “Active” Confirmed
Vulnerabilities checkbox with the “Active” Information Gathered checkbox.
Reports created with this template will only display “Information Gathered”
findings. All QIDs in this report are “Information Gathered” QIDs.
11. Click the “Save” button.
12. From the “Templates” tab, use the “Quick Actions” menu to “Run” the SSBP
Scan Analysis Template.
13. Enter “San Jose Scan Analysis Report” in the “Title” field.
14. Select the “HTML pages” Report Format and click the “Next” button.
15. Select the check box for your “San Jose Scan” and click the “Run” button.
** IMPORTANT: Your scan must be finished, before you can successfully run this
report.
30
Report Qualys Host ID
If authentication is successful, the “Agentless Tracking” feature will attempt to write a
Universally Unique ID to the targeted host.
1. For any Windows or Unix host, click to expand the “Information Gathered”
data and then locate and expand “Report Qualys Host ID Value” QID (45179)
This is the Qualys Host ID produced by Agentless Tracking. Once successfully
assigned to a host, this ID will be used to track host vulnerabilities.
A failed login attempt (illustrated above) will obstruct a successful Qualys Host ID
assignment (QID 45180).
31
2. Expand the “Host Scan Time” QID (45038) for each host.
Notice that the “Host Scan Time” for IPs 64.41.200.249 and 64.41.200.250 are
significantly longer than the other assets in the report.
3. Expand the “Open TCP Services List” for host IP 64.41.200.249.
The number of services provided by this host are significantly larger than the
other host assets. This provides one explanation for the longer scan time.
However, did you notice the ports with “unknown” Service? The Qualys Scanning
Engine has over 600 different tests for detecting active services on both TCP and
UDP ports. If none of the service detection tests return a positive result, Service
Detected is listed as “unknown.”
How do you think performance would be impacted, if these two ports were
excluded from the scan?
32
4. For the same host, expand the “Windows Authentication Method” QID
(70028).
If Kerberos Negotiation is not successful, NTLMv2 will be used. You can adjust
the options in your Windows authentication record to add or remove supported
authentication protocols.
33
LAB 5: Basic Scanning Approaches (15 min.)
While there are many different ways to target and scan host assets, there are three
basic approaches that should be a part of every scanning program.
Certification/Accreditation scans are typically performed during a new host’s staging
phases, prior to its move into your production environment.
Discovery/Inventory scans are typically lightweight and target host Information
Gathered (IG) data. Scans of this nature support inventory management, including
Asset Tag labeling and updates.
The primary goal of an Assessment scan is to find and then eventually mitigate host
vulnerabilities.
The lab exercises that follow provide steps to build and configure an Option Profile for
each approach.
Certification/Accreditation Scan
Use the Certification/Accreditation scan to qualify host assets for entry into your
production environments.
1. Navigate to the “Scans” section and click the “Option Profile” tab.
6. Scroll-down to “Password Brute Forcing,” select the “Custom” check box and
then click the “Configure” button.
34
7. From the “Configure Password Brute Forcing” window, click the “New” button.
35
13. Expand the “SSH” lists and select the “Unix Defaults” list you just created.
14. Click the “Save” button.
15. Leave the “Complete” radio button selected under “Vulnerability Detection.”
16. Scroll-down and enable authentication for both Windows and Unix/Cisco hosts
(or any other authentication options needed for your host assets).
17. Scroll to the bottom of the Option Profile and click the “Save” button.
36
Discovery/Inventory Scan
Discovery/Inventory scans are designed to collect the kind of data commonly used for
asset and inventory management tasks. These scans are typically lightweight and target
host Information Gathered (IG) data.
1. From the “Option Profile” tab, click the “New” button and select the “Import
from Library…” option.
2. Select the check box for “Light Inventory Scan v.1,” then scroll-down and click
the “Import” button, followed by the “Make Global” button.
3. From the “Option Profile” tab, use the “Quick Actions” menu to edit “Light
Inventory Scan v.1.”
4. Replace the existing Title with: SSBP Discovery/Inventory Scan.
5. Click “Scan” in the navigation pane (left).
6. Notice the configuration of the TCP and UDP port options.
Fewer ports are need by an inventory scan that does not perform any
vulnerability assessment tests.
7. Scroll-down to the “Vulnerability Detection” section.
37
8. Leave the “Custom” radio button selected and then click the “Add Lists” button
(above).
9. Select the “Custom Scan Analysis” Search List, you created in the previous lab.
10. Select the “Inventory Results v.1” Search List.
11. Scroll to the bottom of the list and click the “OK” button.
Any Search List added here, should mainly contain “Information Gathered” QIDs.
After examining both lists, what other QIDs would you want to include in your
inventory scan?
12. Select the check box to include “Basic host information checks.”
The option to perform “Basic host information checks” is often left unchecked,
when the “Custom” vulnerability detection option is used.
You’ll typically want to include “Basic host information checks” in your scans.
13. Enable authentication for both Windows and Unix/Cisco host assets (or any
other authentication options needed for your host assets).
14. Scroll to the bottom of the Option Profile and click the “Save” button.
38
Assessment Scan
The primary goal of an Assessment scan is to find and then eventually mitigate host
vulnerabilities.
When creating a new Option Profile, the default profile settings already reflect those
recommended for an assessment scan. Most of the steps that follow, will simply have
you verify these default settings.
1. Click the “New” button and select “Option Profile.”
2. Enter “SSBP Assessment Scan” in the “Title” field.
3. Click “Scan” in the navigation pane (left).
4. Leave TCP ports set to the “Standard Scan” option, and then select the
“Additional” check box.
Although the Standard Scan option provides good coverage of the most
commonly used TCP ports, finding and adding previously unscanned ports could
have a significant impact on your scan results.
5. Enter ports 2375, 2376 and 2377 in the “Additional” text box.
6. Leave UDP ports set to the “Standard Scan” option.
7. Scroll-down and ensure that “Vulnerability Detection” is set to the “Complete”
option.
8. Enable authentication for both Windows and Unix/Cisco host assets (or any
other authentication option needed for your host assets).
9. Scroll to the bottom of the Option Profile and click the “Save” button.
39
LAB 6: Scanning Cloud Agent Hosts (10 min.)
Some Qualys users have elected to perform vulnerability scans that target host assets
already running Qualys Cloud Agent (CA). This can be beneficial for CA hosts that
potentially have “Remote Detection Only” vulnerabilities. If used, these “supplemental”
vulnerability scans would not need to duplicate vulnerability tests already provided by
Cloud Agent.
In this lab, you will create a Search List that identifies the vulnerabilities already covered
by CA and exclude them in the Option Profile used for your agent host scans.
40
Create Option Profile
Create an Option Profile that excludes the CA QIDs.
1. From the “Options Profiles” tab, click the “New” button, and select “Option
Profile…”.
2. Type “Cloud Agent Scan” in the “Title” field.
41
LAB 7: Scan Delegation (15 min.)
Manager users will benefit from delegating scanning responsibilities to other members
of your operational teams. This lab exercise is designed to help you identify some of the
access privilege requirements, when delegating scanning tasks to other user accounts.
42
Launch Vulnerability Scan
The following lab steps will highlight the missing privileges from the “Scanner” role and
give you the opportunity to fix them.
1. From your Scanner account, navigate to the “Scans” tab, and launch a new
vulnerability scan. Attempt to use the following options:
3. Use your “Manager” account (from your other browser) to grant the “Scanner”
account access to “AG: San Jose” (as depicted above).
43
4. Edit “SSBP Custom Profile” and ensure that it has the “Global” setting checked
(as depicted above).
5. Return to the Scanner account and re-attempt the scan.
– Title: Scan with Scanner Privileges
– Option Profile: SSBP Custom Profile
– Asset Groups: AG: San Jose
Were you successful on this attempt? Which of the following objects is the
“Scanner” account unable to create, modify or edit?
– Option Profile
– Authentication Record
– Asset Group
Creating and using multiple user roles (e.g., Remediation User, Reader, Scanner,
etc…) in your trial account is one of the best ways to experiment and discover the
capabilities and limitations of each user role.
44