Penetration Testing mailing list archives
new tools: linux pid exhaustion scanner, tcp/ip handshake scanner
From: Eli Fulkerson <elifulkerson () gmail com>
Date: Fri, 13 Jan 2006 11:25:52 -0500
Hi, list. I have two new security scanning tools, the first of which I would qualify as alpha-experimental and the second as beta-but-stable. Will be happy to receive any feedback or advice. ------------- New Tool: Decloak Decloak is a "pID exhaustion" scanner for Linux. Tt finds hidden processes by mapping out the available pID space and noting the gaps that it was unable to fill. After a gap is discovered, it calls getpriority, getsid, getpgid and checks the contents of /proc/(pid)/cmdline to identify the process and displays the results. How does pID exhaustion work? This works by exploiting the sequential nature in which Linux assigns new pIDs to forked processes. Essentially this tool functions thusly: (main loop for each pid in the pid space) (fork) (child) exits immediately (parent) compares pid of the (child) to the pid of the child from the previous loop (if child_pid > old_child_pid + 1) print Found one! (child_pid) In theory, a malevolent process would need to either subvert fork().. by rewriting the entire kernel to allow duplicate pIDs... or have a process that hops around from pID to pID to avoid this scan. In practice however, this tool generates a lot of false positives. I've seen them in particular with mySQL and Xrealvnc. I have a feeling that they have something to do with the Linux threading model... maybe zombie threads from a former process that haven't returned their pIDs to the kernel. If anyone has any ideas on that, I would like to hear from you. This utility has only been tested under Linux, but will most likely work on any Unix system with sequential pID numbering. This tool and source (GPL) are available at this url: http://www.elifulkerson.com/projects/decloak.php ------------- Also, while I am talking about negative-space system scanners, I have a second tool that I wrote some time back, but never sent to lists: New Tool: Hardscan Hardscan is a tool that checks for hidden tcp/ip connections via brute-forcing a handshake on every port. If the port is already in use for traffic in either direction, the handshake will fail. The utility will attempt to use SO_REUSE on the socket if it fails the first time, and will report this as well. Executive summary pseudocode: (main loop for each port in the port space) a key is determined (server thread) opens a listening port, waits for the key to be delivered (client thread) opens a connection to the server thread and delivers the key This tool is written in Python, and has been tested on both Linux and Win32. Source (GPL) available at: http://www.elifulkerson.com/projects/hardscan.php ------------------------------------------------------------------------------ Audit your website security with Acunetix Web Vulnerability Scanner: Hackers are concentrating their efforts on attacking applications on your website. Up to 75% of cyber attacks are launched on shopping carts, forms, login pages, dynamic content etc. Firewalls, SSL and locked-down servers are futile against web application hacking. Check your website for vulnerabilities to SQL injection, Cross site scripting and other web attacks before hackers do! Download Trial at: http://www.securityfocus.com/sponsor/pen-test_050831 -------------------------------------------------------------------------------
Current thread:
- new tools: linux pid exhaustion scanner, tcp/ip handshake scanner Eli Fulkerson (Jan 13)
- Message not available
- Re: new tools: linux pid exhaustion scanner, tcp/ip handshake scanner Eli Fulkerson (Jan 17)
- Message not available