Bugtraq mailing list archives

Re: analysis of auditable port scanning techniques

From: Michael Bacarella <mbac () MMAP NYCT NET>
Date: Mon, 8 Jan 2001 12:28:53 -0500

I highly recommend ident2. It can be configured to be compliant yet
still return useless information (option -r). Therefore, you can
access services that require an ident server (IRC), but still not reveal
any useful information.

Example:

root@XXXXXXX:~# nmap -I localhost

Starting nmap V. 2.53 by fyodor () insecure org ( www.insecure.org/nmap/ )
Interesting ports on localhost (127.0.0.1):
(The 1515 ports scanned but not shown below are in state: closed)
Port       State       Service                 Owner
22/tcp     open        ssh                     atdhdo
23/tcp     open        telnet                  brzqgi
25/tcp     open        smtp                    brzqgi
80/tcp     open        http                    atdhdo
111/tcp    open        sunrpc                  atdhdo
113/tcp    open        auth                    atdhdo
3306/tcp   open        mysql                   atdhdo

Nmap run completed -- 1 IP address (1 host up) scanned in 1 second


It returns 6 char random replies. It uses rand() to generate them
which is why all but 2 returned the same reply in a given scan.

-MB


On Sat, Jan 06, 2001 at 04:30:08AM +0100, dethy wrote:

Using a self made reverse ident scanner based in perl I issued the
following parameters to test pidentd (too if it answers our replies how i've
mentioned)

perl id.pl -d XXX.XXX.XXX.XXX  -p 20-25

        port            service          owner

        21              21               root
        22              22               root
        23              23               root
        25              25               root

okay, what we have here is: ports 21 - 25 were open and the PID owner was
returned.

I quickly tried it on 3 servers, all answered the query.

      Pidentd, version 3.0.10 (compiled for Linux 2.2.5-22smp)
      Pidentd, version 3.0.10 (compiled for Linux 2.2.16)
      in.identd, version 2.8.5 FreeBSD 4.2

So which versions don't answer to this request ?
To my knowledge any RFC compliant identd will answer to this request,
since the data used in the query is correct use of the EBNF described by
the RFC.


--
Michael Bacarella <mbac () mmap nyct net>
Technical Staff / New York Connect.Net, Ltd
Daytime Phone: (212) 581-2831

Current thread:

analysis of auditable port scanning techniques Guido Bakker (Jan 04)
- Re: analysis of auditable port scanning techniques Guido Bakker (Jan 05)
- Re: analysis of auditable port scanning techniques Dan Harkless (Jan 05)
  - Re: analysis of auditable port scanning techniques Rainer Weikusat (Jan 08)
    - Re: analysis of auditable port scanning techniques Dan Harkless (Jan 08)
    - Re: analysis of auditable port scanning techniques Henrik Nordstrom (Jan 09)
    - Message not available
    - Message not available
    - Re: analysis of auditable port scanning techniques D. J. Bernstein (Jan 16)
  - Re: analysis of auditable port scanning techniques John Ladwig (Jan 08)
- <Possible follow-ups>
- Re: analysis of auditable port scanning techniques dethy (Jan 08)
  - Re: analysis of auditable port scanning techniques Michael Bacarella (Jan 08)
- Re: analysis of auditable port scanning techniques Michael S Soukup (Jan 08)