[18438] in bugtraq
Re: analysis of auditable port scanning techniques
daemon@ATHENA.MIT.EDU (Dan Harkless)
Fri Jan 5 14:01:10 2001
Message-Id: <200101050432.UAA20790@dilvish.speed.net>
Date: Thu, 4 Jan 2001 20:32:01 -0800
Reply-To: Dan Harkless <dan-bugtraq@DILVISH.SPEED.NET>
From: Dan Harkless <dan-bugtraq@DILVISH.SPEED.NET>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: Message from Guido Bakker <guidob@sentia.nl> of "Thu, 04 Jan 2001
09:40:52 +0100." <3A543714.35D8A59A@sentia.nl>
Guido Bakker <guidob@sentia.nl> writes:
> 1.2.1 - reverse ident scanning
>
> This technique involves issuing a response to the ident/auth daemon,
> usually port 113 to query the service for the owner of the running
> process. The main reason behind this is to find daemons running as root,
> obviously this result would entice an intruder to find a vulnerable
> overflow and instigate other suspicious activities involving this
> port. Alternatively, a daemon running as user nobody (httpd) may not be as
> attractive to a user because of limited access privileges. Unknowing to
> most users is that identd could release miscellaneous private information
> such as:
>
> * user info
> * entities
> * objects
> * processes
>
> Although the identification protocol would appear as an authentication
> mechanism, it was not designed or intended for this purpose. As the RFC
> states, "At best, it provides some additional auditing information with
> respect to TCP connections". Needless to say, it should not be used as an
> access control service nor relied upon added host/username authenticity.
>
> The formal syntax taken from RFC 1413 reveals the following EBNF:
>
> FORMAL SYNTAX
>
> <request> ::= <port-pair> <EOL>
>
> <port-pair> ::= <integer> "," <integer>
>
> <EOL> ::= "015 012" ; CR-LF End of Line Indicator, octal \r\n
> ; equivalents
>
> <integer> ::= 1*5<digit> ; 1-5 digits.
>
>
> Using this grammar applied to the data we send to an arbitrary host piped
> to the ident/auth port will reveal the process owner running on a given
> port, even though we initiated the connection.
Uh, no. With properly-written ident daemons, such as pidentd, the dameon
will only respond for connections initiated on the machine on which it's
running, and with a destination of the machine querying the daemon. Do you
have examples of ident daemons that don't enforce this?
> Notoriously, the SYN method was first used to avoid a well used IDS, named
> SATAN.
Eh? SATAN was a security scanner, not an intrusion detection system...
----------------------------------------------------------------------
Dan Harkless | To prevent SPAM contamination, please
dan-bugtraq@dilvish.speed.net | do not mention this private email
SpeedGate Communications, Inc. | address in Usenet posts. Thank you.
