NIS Information

An NIS server (ypserv) distributes maps on major system files to all systems inside an NIS/yp domain. These maps include passwd, hosts, aliases, services, and others. The NIS server transfers a map to any ypbind client that knows the domain name. There are several ways to get the NIS domain name: the bootparam method (mentioned previously and used by SATAN), the NFS server method (also mentioned previously), and intelligent guessing (also used by SATAN). The domain name is frequently something descriptive and easy-to-remember, to help internal users. For example, notreal might be a good guess for the NIS domain for notreal.com. The ypx program can help guess a domain name and transfer an NIS map from the NIS server.

Of course, the hacker could always busy the NIS server with a denial of service type of attack (hundreds of FTP, telnet, or smtp requests), causing the response time to an NIS client’s request to be slow enough to cause the NIS client to broadcast a request for a new NIS server to bind to. The hacker could then answer this request and have the client bind to the hacker’s system, and distribute the passwd map to this client. At this point, the hacker has control over the target system.

---

Tip:  NIS should never be accessible to the Internet and should not be used in a potentially hostile environment. NIS domain names should be quite cryptic and hard to guess. NIS+ tries to address many of these issues and should be considered as a replacement.

---

Web Server Information

SATAN, as currently distributed, does not include any scans for web server vulnerabilities, i.e. those related to the https (SSL version of http). The dynamic growth of web server functionality will certainly lead to the introduction and discovery of new vulnerabilities. A system administrator can easily add scans for these yet-to-be-discovered vulnerabilities to SATAN; an example of adding scans to SATAN is included at the end of this chapter.

Web servers are a source of information leakage on the Internet. Although no indirect information leakage occurs via the httpd on the remote systems, the direct, or intended, information leakage from web pages can be useful. By using a web browser, a hacker can find information about users and systems in the remote network. It is possible to make an automated program that would recursively interrogate the http port (TCP/80), doing GET <page> where <page> is /index.html or similar web page paths, scanning the pages for addresses with the domain notreal.com. (PERL would seem ideal for this task.) A comparable scanner for the https (a version of http that uses SSL, usually on TCP/443) could be constructed using either SSLref2.0 or SSLeay. (See the section on SSL for details.) SATAN could easily be modified to support such web scanners.

By creating a web site and having members of notreal.com connect to it, a hacker can gain information about the client systems. Some web browsers will send information about the local environment and URLs. Of course, such an approach can be extended to making corrupted binaries, Java pages, PostScript documents, or e-mail messages. This is moving from passive information gathering to active deception, but a malevolent intruder is not troubled by this.

NNTP Information

SATAN does not scan for information available through network news. NNTP really is a useful source of gaining hostname information, however. It is possible to scan every posting to network news for addresses ending in notreal.com. These could be part of e-mail addresses of the posters from within notreal.com, or part of messages posted by notreal.com users. In either case, such postings provide another source of information leakage regarding notreal.com’s systems and users.

The nntpd has the potential for attacks, similar to smtp, but is protected to a certain extent by being able to select which hosts can connect to it. Having embedded MIME statements in news postings can be a hidden danger if the newsreader, such as tin or Netscape, can interpret them. For example, if you have a MIME statement that does an external FTP for the .rhosts file, this could open your system to a trust attack.

Routing Information

The gated routing program broadcasts routing tables to other routing daemons. These packets can be used to build up a picture of the routing tables (netstat -r) on each of the systems in notreal.com. They also help to add hostnames to the list of systems in that domain. Knowing that gated is running can be useful because this program is vulnerable to trusting routing packets from unauthenticated sources. SATAN indicates whether or not a system is running gated.

identd Information

SATAN’s TCP scan discovers whether or not a system is running an identd server, such as pidentd. Programs such as idlookup enable you to determine information about the originator of a network connection to your system. If the originator of the connection is on a system that runs pidentd, information about the system type, the local nationalization variables, and user are available. If you can get a user to connect (by sending mail to you, ftping to you, or using a web browser to connect to your web site), you can use idlookup to gain this information.

By using IP spoofing and source routing, a hacker can masquerade as a host that has a current open connection and do a brute force search for user information.

If a hacker knows that a large server is accessed by a client at a certain IP address, for example, the hacker can do multiple connects to the auth port on the large server, masquerading as the client (perhaps using the FTP server bounce vulnerability), indicating the shell or login ports as destination ports on the server, and scanning all possible ports on the client. Each successful match would provide the hacker with the login name of a user who is using either remsh (rsh) or rlogin to gain access to the server. These users would be possible victims for an .rhosts attack.