[18479] in bugtraq
Re: analysis of auditable port scanning techniques
daemon@ATHENA.MIT.EDU (John Ladwig)
Mon Jan 8 19:30:20 2001
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-Id: <14938.7695.663540.619030@linux.aravox.com>
Date: Mon, 8 Jan 2001 14:07:43 -0600
Reply-To: John Ladwig <jladwig@ARAVOX.COM>
From: John Ladwig <jladwig@ARAVOX.COM>
X-To: Dan Harkless <dan-bugtraq@DILVISH.SPEED.NET>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: Dan Harkless's message <200101050432.UAA20790@dilvish.speed.net>
of 4 January 2001
>>>>> On Thu, 4 Jan 2001 20:32:01 -0800, Dan Harkless <dan-bugtraq@DILVISH.SPEED.NET> said:
Dan> Guido Bakker <guidob@sentia.nl> writes:
>> 1.2.1 - reverse ident scanning
>>
>> This technique involves issuing a response to the ident/auth
>> daemon, usually port 113 to query the service for the owner of
>> the running process. The main reason behind this is to find
>> daemons running as root, obviously this result would entice an
>> intruder to find a vulnerable overflow and instigate other
>> suspicious activities involving this port. Alternatively, a
>> daemon running as user nobody (httpd) may not be as attractive
>> to a user because of limited access privileges. Unknowing to
>> most users is that identd could release miscellaneous private
>> information such as:
>>
>> * user info
>> * entities
>> * objects
>> * processes
This would be one of the reasons behind the DES support (see the
INSTALL file) in pidentd:
Dec 30 11:19:26 host sshd[4211]: log: fwd X11 connect from
[OOqt/GTQR5iaK/Ceu6vtwpZVOX0P1yr9]@server.example.com
The above []-delimited blob is DES-encrypted, and can be decoded by
the admin of the system which was running identd.
# cat '[OOqt/GTQR5iaK/Ceu6vtwpZVOX0P1yr9]' | idecrypt
Wed Dec 30 11:19:26 2000 107 172.23.1.1 5918 172.23.9.42 6001
Since ident provides information useful to the admin of the device on
which ident runs, this is sufficient.
Unfortunately, most vendor or distribution implementations of identd
do not use this functionality.
-jml *the above won't decode correctly, so don't bother
fishing for my key*
