| Previous | Table of Contents | Next |
UDP/TCP Scan
The hacker now wants to gain information about the remote system’s /etc/inetd.conf file, which contains a list of services offered by inetd. SATAN includes programs that attempt to connect to each UDP and TCP port. The hacker can write similar socket programs to do this, but it is, once again, much easier to use SATAN.
The Internet operates under the assumption of well-known ports, as described in RFC 1700 “Assigned Numbers.” The /etc/services file provides a list that can be used to make assumptions on the service listening to the port that accepted a connect during the scan.
For TCP, telnet can be used to try a connect to a particular port. For example:
% more /etc/services # This file associates official service names and aliases with # the port number and protocol the services use. # The form for each entry is: # <official service name> <port number/protocol name> <aliases> echo 7/tcp # Echo echo 7/udp # discard 9/tcp sink null # Discard discard 9/udp sink null # systat 11/tcp users # Active Users daytime 13/tcp # Daytime daytime 13/udp # … % telnet dns1 echo Trying… Connected to dns1.notreal.com. Escape character is ‘^]’. one one … % telnet sys3 echo Trying… telnet: Unable to connect to remote host: Connection refused % telnet dns1 13 Trying… Connected to dns1.notreal.com. Escape character is ‘^]’. Sat Nov 11 22:22:34 1995 Connection closed by foreign host. %
Here the hacker finds that sys3 does not offer the echo service, whereas dns1 does offer it, as well as the daytime (TCP/13) service.
For manual TCP scans, a hacker can use telnet or the SATAN TCP scanner. For UDP scans, the hacker must make a program or use the SATAN UDP scanner. Other port scanners are available at FTP archives such as COAST.
Tip: You can use TCP wrappers to prevent unauthorized remote systems from successfully making TCP or UDP connections to local services. Wietse Venema’s tcp_wrappers is one of the most popular such programs, although several vendors include similar functionality into inetd, via inetd.sec or xinetd. Xinetd also offers a good deal of flexibility in controlling services and minimizing risks.
At this point, the hacker has spent quite a bit of time manually interrogating ftpd, sendmail, and telnetd to gather information on the remote system from banner comments. The hacker has also gained information on which services are offered on the remote system. A manual scan for this information can take 10 minutes per host. The hacker can use SATAN to scan hundreds of hosts for this information in a few seconds. Not only will SATAN do the scan, SATAN will generate summary reports, and build a database of discovered systems that can be automatically scanned. Although manual scans, as demonstrated in this section, are useful for understanding and expanding SATAN, they are quite slow and inefficient.
Portmap Information
Internet network services are offered primarily through three mechanisms: network daemons that constantly listen to a port, network daemons that use inetd to listen to a port and are invoked when a connection request is caught by inetd, and rpc services that use the portmap program to dynamically assign a port in response to a request for that particular program. The most popular rpc services are NIS and NFS, both of which offer much to the intruder.
The rpcinfo program interrogates a remote portmap program and indicates what services are available. A hacker looking at the notreal.com systems would see something such as this (for brevity’s sake, TCP versions have been deleted):
% rpcinfo -p m2.notreal.com
program vers proto port
100000 2 udp 111 portmapper
100007 2 udp 877 ypbind
100005 3 udp 1027 mountd
100003 3 udp 2049 nfs
100024 1 udp 1028 status
100021 4 udp 1031 nlockmgr
100020 3 udp 1033 llockmgr
100011 1 udp 1036 rquotad
100017 1 tcp 1025 rexd
100001 3 udp 1029 rstatd
100002 2 udp 1031 rusersd
100008 1 udp 1033 walld
100012 1 udp 1036 sprayd
150001 2 udp 1038 pcnfsd
100026 1 udp 1036 bootparam
100028 1 tcp 1094 ypupdated
100004 2 udp 716 ypserv
100009 1 udp 1023 yppasswdd
The interesting services to note are nfs, ypbind, ypserv, ruserd, bootparam, mountd, and rexd. The others are useful too, so the hacker records all this information into an ever-expanding database. SATAN scans the list of services offered by the portmap program and specifically looks for the presence of nfs/mountd, yp/NIS, and rexd. All three of these services have been associated with security holes. Note that some portmaps permit remote unregistration and registration of programs, allowing a remote hacker to modify the portmap database. The newer version of portmap is called rpcbind; it still features the same issues.
Tip: A secure portmap program and rpcbind are available from Wietse Venema, one of the creators of SATAN and the creator of tcp-wrapper. A system admin can configure this portmap to respond only to requests from authorized network addresses. Although this can be circumvented using IP spoofing, it does improve security. This program also includes several security improvements such as the elimination of request forwarding.
| Previous | Table of Contents | Next |