[18606] in bugtraq
Re: analysis of auditable port scanning techniques
daemon@ATHENA.MIT.EDU (Dan Harkless)
Mon Jan 15 11:42:40 2001
Message-Id: <200101130127.RAA14522@dilvish.speed.net>
Date: Fri, 12 Jan 2001 17:27:02 -0800
Reply-To: Dan Harkless <dan-bugtraq@DILVISH.SPEED.NET>
From: Dan Harkless <dan-bugtraq@DILVISH.SPEED.NET>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: Message from Dan Harkless <dan-bugtraq@DILVISH.SPEED.NET> of
"Sat, 06 Jan 2001 02:43:57 PST."
<200101061043.CAA22576@dilvish.speed.net>
Dan Harkless <dan-bugtraq@DILVISH.SPEED.NET> writes:
> Rainer Weikusat <weikusat@mail.uni-mainz.de> writes:
> > Dan Harkless <dan-bugtraq@DILVISH.SPEED.NET> writes:
> > > > Using this grammar applied to the data we send to an arbitrary host
> > > > piped to the ident/auth port will reveal the process owner running
> > > > on a given port, even though we initiated the connection.
> > >
> > > Uh, no. With properly-written ident daemons, such as pidentd,
[...]
> Well, there's a feature request for auth/ident/tap daemons running on OSes
> (if any) that can distinguish after-the-fact between connections that
> originated locally and those that originated remotely. Assuming that
> doesn't break RFCs 931 / 1413, of course (I'd re-read them right now to
> check, if I had the time)...
Theo de Raadt just informed me via email that OpenBSD fixed their identd to
only report SS_CONNECTOUT sockets in 1996. He says as far as he knows
theirs is the only identd to implement this, and that he tried to contact
the RFC authors about getting a revision done saying that you should not
respond for non-locally-originating connections, but he either got no reply
or there was disagreement.
----------------------------------------------------------------------
Dan Harkless | To prevent SPAM contamination, please
dan-bugtraq@dilvish.speed.net | do not mention this private email
SpeedGate Communications, Inc. | address in Usenet posts. Thank you.
