Bugtraq mailing list archives

Re: analysis of auditable port scanning techniques

From: Dan Harkless <dan-bugtraq () DILVISH SPEED NET>
Date: Thu, 4 Jan 2001 20:32:01 -0800

Guido Bakker <guidob () sentia nl> writes:

1.2.1 - reverse ident scanning

This technique involves issuing a response to the ident/auth daemon,
usually port 113 to query the service for the owner of the running
process.  The main reason behind this is to find daemons running as root,
obviously this result would entice an intruder to find a vulnerable
overflow and instigate other suspicious activities involving this
port. Alternatively, a daemon running as user nobody (httpd) may not be as
attractive to a user because of limited access privileges. Unknowing to
most users is that identd could release miscellaneous private information
such as:

 * user info
 * entities
 * objects
 * processes

Although the identification protocol would appear as an authentication
mechanism, it was not designed or intended for this purpose. As the RFC
states, "At best, it provides some additional auditing information with
respect to TCP connections".  Needless to say, it should not be used as an
access control service nor relied upon added host/username authenticity.

The formal syntax taken from RFC 1413 reveals the following EBNF:

FORMAL SYNTAX

   <request> ::= <port-pair> <EOL>

   <port-pair> ::= <integer> "," <integer>

   <EOL> ::= "015 012"  ; CR-LF End of Line Indicator, octal \r\n
                        ; equivalents

   <integer> ::= 1*5<digit> ; 1-5 digits.


Using this grammar applied to the data we send to an arbitrary host piped
to the ident/auth port will reveal the process owner running on a given
port, even though we initiated the connection.


Uh, no.  With properly-written ident daemons, such as pidentd, the dameon
will only respond for connections initiated on the machine on which it's
running, and with a destination of the machine querying the daemon.  Do you
have examples of ident daemons that don't enforce this?

Notoriously, the SYN method was first used to avoid a well used IDS, named
SATAN.


Eh?  SATAN was a security scanner, not an intrusion detection system...

----------------------------------------------------------------------
Dan Harkless                   | To prevent SPAM contamination, please
dan-bugtraq () dilvish speed net  | do not mention this private email
SpeedGate Communications, Inc. | address in Usenet posts.  Thank you.

Current thread:

analysis of auditable port scanning techniques Guido Bakker (Jan 04)
- Re: analysis of auditable port scanning techniques Guido Bakker (Jan 05)
- Re: analysis of auditable port scanning techniques Dan Harkless (Jan 05)
  - Re: analysis of auditable port scanning techniques Rainer Weikusat (Jan 08)
    - Re: analysis of auditable port scanning techniques Dan Harkless (Jan 08)
    - Re: analysis of auditable port scanning techniques Henrik Nordstrom (Jan 09)
    - Message not available
    - Message not available
    - Re: analysis of auditable port scanning techniques D. J. Bernstein (Jan 16)
  - Re: analysis of auditable port scanning techniques John Ladwig (Jan 08)
- <Possible follow-ups>
- Re: analysis of auditable port scanning techniques dethy (Jan 08)
  - Re: analysis of auditable port scanning techniques Michael Bacarella (Jan 08)
- Re: analysis of auditable port scanning techniques Michael S Soukup (Jan 08)