Lecture 3. Scanners

Scanners

1. What Is a Scanner?

   A scanner is a program that automatically detects security weaknesses in a remote or local host.

2. How Do Scanners Work?

   Scanners are programs that attack TCP/IP ports and services (Telnet, FTP, ...) and record the response from the target. In this way, they glean valuable information about the target host (for instance, can an anonymous user log in?).

3. What Will a Scanner Tell Me?

   A scanner might reveal certain inherent weaknesses within the target host. Interpretation of data is usually user's responsibility.

4. What Won't a Scanner Tell Me?
   • A step-by-step method of breaking in
   • The degree to which your scanning activity has been logged

5. Are Scanners Legal?

   (?) Do not use it against unauthorized hosts.

6. Why Are Scanners Important to Internet Security?

   Scanners are important to Internet security because they reveal weaknesses in the network. This information will eventually strengthen Internet security.

Historical Background

Scanner's strengths are in the fact that they are fast, versatile, and accurate. More importantly, they are freely available on the Internet.

• In the early 1980s, few people had access to Internet and the cracking information was scarce. Today, there are massive online databases and mailing lists that broadcast security weaknesses.
  • Online mailing lists of security holes.

    Resource	Location
    Firewalls mailing list	Firewalls@GreatCircle.COM
    Sneakers mailing list	Sneakers@CS.Yale.EDU
    The WWW security list	WWW-security@ns2.rutgers.edu
    The NT security list	Ntsecurity@ISS
    Bugtraq	BUGTRAQ@NETSPACE.ORG

    Joining a list: Just send an e-mail message to a special address such as majordomo@greatcircle.com. This address accepts commands from your first line of the e-mail message.In most cases, that command is as simple as subscribe. In other cases, you may be required to add the name of the list. For example, the Firewalls mailing list at GreatCircle.com requires that you send subscribe firewalls as the first line of your e-mail.

  • Web Sites like http://www.cs.purdue.edu/coast/hotlist/.

• Manual dialing to connect to a UNIX system.

• war dialer: software that dials a user-specified range of telephone numbers searching for connectables.

  In essence, scanners operate much like war dialers with two exceptions:

  • Scanners are used only on the Internet or other TCP/IP networks.
  • Scanners are more intelligent than war dialers.

The Attributes of a Scanner

The primary attributes of a scanner are

• The capability to find a machine or network
• The capability, once having found a machine, to find out what services are being run on the host
• The capability to test those services for known holes

The process with SGI machine as an example

• A Hole Is Discovered
  In late 1995, Silicon Graphics (SGI) shipped a large number of WebForce models, running IRIX, a proprietary form of UNIX. Certain versions of IRIX retained a default login for the line printer. That is, if a user initiated a Telnet session to one of these SGI boxes and logged in as lp, no password would be required.

• Looking for WebForce Models
  • Search engines for "EzSetup: + root: +  lp:" could be employed for a time
    Many of these machines retained world-readable FTP directories, visible to search engines across the Internet and the FTP directories contained /etc/passwd files.

  • Many SGI host names included words: Graphics, Art, Indy, Indigo. Those machine names can be obtained by the UNIX command:
    whois word

  • Using Scanners to Uncover WebForce Models

    All it needed to do was check each address for a Telnet connection. For each successful connection, the scanner would capture the resulting text. Thus, a typical entry might look something like this:

    Trying 199.200.0.0
    Connected to 199.200.0.0
    Escape Character is "]"
    
    IRIX 4.1
    Welcome to Graphics Town!
    Login:

  The next step would be to login as lp and then obtain /etc/passwd to find more login accounts.

  Defense: Edit the line

  	lp::4:7:lp:/var/spool/lpd:

        in the file /etc/passwd into

  	lp:*:4:7:lp:/var/spool/lpd:

Network Utilities

Some of these are not standard UNIX commands.

1. host: displays a comprehensive list of hosts within a specified domain.

   EXAMPLE: host -l -v -t any bu.edu

   ....
   bu.edu    86400 IN    HINFO    SUN-SPARCSTATION-10/41    UNIX
   PPP-77-25.bu.edu    86400 IN    A    128.197.7.237
   PPP-77-25.bu.edu    86400 IN    HINFO    PPP-HOST    PPP-SW
   PPP-77-26.bu.edu    86400 IN    A    128.197.7.238
   PPP-77-26.bu.edu    86400 IN    HINFO    PPP-HOST    PPP-SW
   ODIE.bu.edu    86400 IN    A    128.197.10.52
   ODIE.bu.edu    86400 IN    MX    10 CS.BU.EDU
   ODIE.bu.edu    86400 IN    HINFO    DEC-ALPHA-3000/300LX    OSF1
   STRAUSS.bu.edu    86400 IN    HINFO    PC-PENTIUM    DOS/WINDOWS
   BURULLUS.bu.edu    86400 IN    HINFO    SUN-3/50    UNIX (Ouch)
   GEORGETOWN.bu.edu    86400 IN    HINFO    MACINTOSH    MAC-OS
   CHEEZWIZ.bu.edu    86400 IN    HINFO    SGI-INDIGO-2    UNIX
   POLLUX.bu.edu    86400 IN    HINFO    SUN-4/20-SPARCSTATION-SLC    UNIX
   SFA109-PC201.bu.edu    86400 IN    HINFO    PC    MS-DOS/WINDOWS
   UH-PC002-CT.bu.edu    86400 IN    HINFO    PC-CLONE    MS-DOS
   SOFTWARE.bu.edu    86400 IN    HINFO    SUN-SPARCSTATION-10/30    UNIX
   CABMAC.bu.edu    86400 IN    HINFO    MACINTOSH    MAC-OS
   VIDUAL.bu.edu    86400 IN    HINFO    SGI-INDY    IRIX
   KIOSK-GB.bu.edu    86400 IN    HINFO    GATORBOX    GATORWARE
   CLARINET.bu.edu    86400 IN    HINFO    VISUAL-X-19-TURBO    X-SERVER
   DUNCAN.bu.edu    86400 IN    HINFO    DEC-ALPHA-3000/400    OSF1
   MILHOUSE.bu.edu    86400 IN    HINFO    VAXSTATION-II/GPX    UNIX
   PSY81-PC150.bu.edu    86400 IN    HINFO    PC    WINDOWS-95
   BUPHYC.bu.edu    86400 IN    HINFO    VAX-4000/300    OpenVMS
   ....

   • ODIE.bu.edu is a possible target for the mount -d -s bug, where if two successive mount -d -s commands are sent within seconds of one another (and before another host has issued such a request), the request will be honored. It's because it is DEC-ALPHA running OSF1.

   • CHEEZEWIZ.bu.edu is a potential target for either the lp login bug or the Telnet bug. Or maybe, if we're on site, we can exploit the floppy mounter bug in /usr/etc/msdos.

   • POLLUX.bu.edu is an old machine. Perhaps Sun Patch-ID# 100376-01 hasn't been applied. Maybe they put in a fresh install of SunOS 4.1.x and the SPARC integer division is shredded.

   • I see that PSY81-PC150.bu.edu is running Windows 95. I wonder whether the SMB protocol is running and if so, are any local directories shared out? Using Samba on a Linux box, perhaps I can attach one of the shared out directories from anywhere on the Internet simply by specifying myself as a guest.

2. traceroute: traces the route between two machines. This utility can be used to identify the location of a machine:

    1  193.49.144.224 (193.49.144.224)  3 ms  2 ms  2 ms
    2  gw-ft.net.univ-angers.fr (193.49.161.1)  3 ms  3 ms  3 ms
    3  angers.or-pl.ft.net (193.55.153.41)  5 ms  5 ms  5 ms
    4  nantes1.or-pl.ft.net (193.55.153.9)  13 ms  10 ms  10 ms
    5  stamand1.renater.ft.net (192.93.43.129)  25 ms  44 ms  67 ms
    6  rbs1.renater.ft.net (192.93.43.186)  45 ms  30 ms  24 ms
    7  raspail-ip2.eurogate.net (194.206.207.18)  51 ms  50 ms  58
    8  raspail-ip.eurogate.net (194.206.207.58) 288 ms311 ms 287 ms
    9  * Reston.eurogate.net (194.206.207.5)  479 ms  469 ms
   10  gsl-sl-dc-fddi.gsl.net (204.59.144.199) 486 ms 490 ms  489 ms
   11  sl-dc-8-F/T.sprintlink.net (198.67.0.8)  475 ms *  479 ms
   12  sl-mae-e-H3/0-T3.sprintlink.net (144.228.10.42)498 ms  478 ms
   13  mae-east.agis.net (192.41.177.145)  391 ms  456 ms  444 ms
   14  h0-0.losangeles1.agis.net (204.130.243.45)714 ms 556 ms714 ms
   15  pbi10.losangeles.agis.net (206.62.12.10) 554 ms 543 ms 505 ms
   16  lsan03-agis1.pbi.net (206.13.29.2)  536 ms  560 ms *
   17  * * *
   18  pm1.pacificnet.net (207.171.0.51)  556 ms  560 ms  561 ms
   19  pm1-24.pacificnet.net (207.171.17.25)  687 ms  677 ms  714 ms

   From this, it is clear that the target host is located in Los Angeles, California:

3. finger

   EXAMPLE: finger -l @cs

   [cs.sookmyung.ac.kr]
   Login name: root                        In real life: Super-User
   Directory: /                            Shell: /bin/csh
   On since Aug 13 11:26:33 on console from :0
   3 hours 34 minutes Idle Time
   Mail last read Wed Aug 12 21:22:42 1998
   No Plan.
   
   Login name: sanglee                     In real life: Lee ???? ???
   Directory: /user/faculty/sanglee        Shell: /bin/csh
   On since Aug 14 09:31:54 on pts/1 from sanglee1.sookmyung.ac.kr
   3 hours 46 minutes Idle Time
   No unread mail
   No Plan.
   
   Login name: rhee                        In real life: Gwangsoo Rhee
   Directory: /user/faculty/rhee           Shell: /bin/csh
   On since Aug 14 21:22:50 on pts/2 from edps2
   2 minutes 16 seconds Idle Time
   Mail last read Fri Aug 14 10:35:43 1998
   No Plan.

   Login name: u96205xx
   Directory: /user2/undergrad/u96205xx    Shell: /bin/csh
   On since Aug 14 21:02:10 on pts/3 from 210.120.14.133
   No unread mail
   Plan:
    to earn an enjoyable, homest living.
   
   
   Login name: shyoon                      In real life: Yoon ??? ???
   Directory: /user3/grad/shyoon           Shell: /bin/csh
   On since Aug 14 13:45:56 on pts/7 from 203.252.195.210
   7 hours 31 minutes Idle Time
   Mail last read Fri Aug 14 13:45:58 1998
   No Plan.

   Initially, this information might not seem valuable. However, it is often through these techniques that you can positively identify a user. For example, certain portions of the Internet offer varying degrees of anonymity. Internet Relay Chat (IRC) is one such system. A person connecting with a UNIX-based system can effectively obscure his or her identity on IRC but cannot easily obscure the IP address of the machine in use. Through sustained use of the finger commands, you can pin down who that user really is.

4. showmount: reveals some very interesting information about remote hosts. Most importantly, invoked with the -e command line option, showmount can provide a list of all exported directories on a given target. These directories might or might not be mountable from anywhere on the Internet.

The Scanners

1. NSS (Network Security Scanner)

   NSS (Network Security scanner) is a very obscure scanner.
   The basic value of NSS is its speed. It is extremely fast. Routine checks that it can perform include the following:

   • sendmail
   • Anon FTP
   • NFS Exports
   • TFTP
   • Hosts.equiv
   • Xhost

   ---

   NOTE: NSS will not allow you to perform Hosts.equiv unless you have root privileges. If this is a critical issue and you do not currently have root, you might want to acquire a copy of Linux, Solaris X86, or FreeBSD. By getting one of these operating systems and installing it at home, you can become root. This is a common problem with several scanners, including SATAN and certain implementations of Internet Security Scanner.

   ---

2. SATAN (Security Administrator's Tool for Analyzing Networks)
   • SATAN was released on the Internet in April, 1995 by Dan Farmer (co-author of COPS) and Venema (author of TCP_Wrapper).

   • It had an enormous amount of media attention.

   • It features a user-friendly HTML interface, complete with forms to enter targets, tables to display results, and context-sensitive tutorials that appear when a hole has been found.

   • SATAN was designed only for UNIX.

   • As the name of the program suggests, it was written for the purpose of improving network security. As such, not only must one run it in a UNIX environment, one must run it with root privileges.

   • Its functions include:
     • SATAN scans remote hosts for most known holes, including but not limited to these:
     • FTPD vulnerabilities and writable FTP directories
     • NFS vulnerabilities
     • NIS vulnerabilities
     • RSH vulnerability
     • sendmail
     • X server vulnerabilities

3. Jakal

   Jakal is a stealth scanner. That is, it will scan a domain (behind a firewall) without leaving any trace of the scan.

4. IdentTCPscan

   IdentTCPscan has the added functionality of picking out the owner of a given TCP port process.

   Port:   7    Service:        (?)    Userid:  root
   Port:   9    Service:        (?)    Userid:  root
   ....
   Port:  80    Service:        (?)    Userid:  root
   ....
   Port: 6000    Service:        (?)    Userid:  root

   By finding the UID of the process, misconfigurations can be quickly identified. The above output shows that shows a serious misconfiguration. Port 80 is running a service as root. It happens that it is running HTTPD. This is a security problem because any attacker who exploits weaknesses in your CGI can run his or her processes as root as well.

5. CONNECT

   CONNECT is a bin/sh script. Its purpose is to scan subnets for TFTP servers. (These are difficult to find. TFTP is almost always disabled these days.)

6. ISS Scanners
   • Commercial products

   • Two products: System Security Scanner and Internet Scanner

     Internet Scanner and System Scanner have complimentary scanning and detection capabilities. Internet Scanner tests vulnerabilities visible from the network. It cannot see local buffer overflows, insecure service executions, improper file ownerships and permissions, user account problems, potential exploits in system integrity or patch histories. Most importantly, it does not fingerprint individual systems, so it can not tell if a host or workstation has been hacked.

     System Scanner works exclusively at the host or workstation level. It sees localized vulnerabilities, as well as registers unauthorized or unwise alterations to underlying operating systems. Taken together, Internet Scanner and System Security Scanner test for more potential vulnerabilities and provide more risk assessment information than any other combination of products.

Some sample scans

1. Sample scan with target system Linux 1.2.13 (Slackware) using SAFEsuite from Internet Security Systems
   • The rlogin Bug: None

     # Rlogin Binding to Port
     # Connected to Rlogin Port
     # Trying to gain access via Rlogin
     127.0.0.1: ---- rlogin begin output ----
     
     127.0.0.1: ---- rlogin end output ----
     # Rlogin check complete, not vulnerable.

   • The rsh Vulnerability: Yes

     # Time Stamp(555): Rsh check: (848027962) Thu Nov 14 19:19:22
     # Checking Rsh For Vulnerabilities
     # Rsh Shell Binding to Port
     # Sending command to Rsh
     127.0.0.1: bin/bin logged in to rsh
     127.0.0.1: Files grabbed from rsh into `./127.0.0.1.rsh.files'
     127.0.0.1: Rsh vulnerable in hosts.equiv
     # Completed Checking Rsh for Vulnerability

     /etc/passwd was grabbed and saved into a file called 127.0.0.1.rsh.files.

   • FTP Vulnerablity: Yes

     127.0.0.1: ---- FTP version begin output ----
      SamsHack FTP server (Version wu-2.4(1) Tue Aug 8 15:50:43 CDT 1995) ready.
     127.0.0.1: ---- FTP version end output ----
     127.0.0.1:  Please login with USER and PASS.
     127.0.0.1:  Guest login ok, send your complete e-mail address as password.
     127.0.0.1:  Please login with USER and PASS.
     127.0.0.1: ANONYMOUS FTP ALLOWED
     127.0.0.1:  Guest login ok, access restrictions apply.
     127.0.0.1:  "/" is current directory.
     127.0.0.1:  iss.test: Permission denied.
     127.0.0.1:  iss.test: Permission denied. (Delete)
     127.0.0.1:  Entering Passive Mode (127,0,0,1,4,217)
     127.0.0.1:  Opening ASCII mode data connection for /bin/ls.
     127.0.0.1:  Transfer complete.
     127.0.0.1:  Entering Passive Mode (127,0,0,1,4,219)
     127.0.0.1:  Opening ASCII mode data connection for /etc/passwd (532 bytes).
     127.0.0.1:  Transfer complete.
     127.0.0.1: Files grabbed via FTP into ./127.0.0.1.anonftp.files
     127.0.0.1:  Goodbye.

2. Sample scan with target system SunOS 4.1.3 using SATAN from command-line

   process_targets: probe edps2.sookmyung.ac.kr...
   Add-fact: edps2.sookmyung.ac.kr|time|a|x
   	|||\185~S\026|offers time
   Add-fact: edps2.sookmyung.ac.kr|finger|a|x
   	|||ld.so: libc.so.102: not found\n|offers finger
   Add-fact: edps2.sookmyung.ac.kr|ftp|a|x
   	|||220 edps2 FTP server (SunOS 4.1) ready.\r\n
   	221 Goodbye.\r\n|offers ftp
   Add-fact: edps2.sookmyung.ac.kr|login|a|x||||offers login
   Add-fact: edps2.sookmyung.ac.kr|shell|a|x||||offers shell
   Add-fact: edps2.sookmyung.ac.kr|uucp|a|x
   	|||login: Password: Login incorrect.|offers uucp
   Add-fact: edps2.sookmyung.ac.kr|echo|a|x|||QUIT\r\n|offers echo
   Add-fact: edps2.sookmyung.ac.kr|telnet|a|x
   	|||\r\n\r\nSunOS UNIX (edps2)\r\n\r\000\r\n\r\000
   	login: |offers telnet
   Add-fact: edps2.sookmyung.ac.kr|chargen|a|x||| !"#$%&....
   Add-fact: edps2.sookmyung.ac.kr|discard|a|x||||offers discard
   Add-fact: edps2.sookmyung.ac.kr|sunrpc|a|x||||offers sunrpc
   Add-fact: edps2.sookmyung.ac.kr|exec|a|x||||offers exec
   Add-fact: edps2.sookmyung.ac.kr|701:TCP|a|x||||offers 701:TCP
   Add-fact: edps2.sookmyung.ac.kr|710:TCP|a|x||||offers 710:TCP
   ....
   Add-fact: edps2.sookmyung.ac.kr|1024:TCP|a|x||||offers 1024:TCP
   Add-fact: edps2.sookmyung.ac.kr|echo|a|x||||offers echo
   Add-fact: edps2.sookmyung.ac.kr|daytime|a|x||||offers daytime
   Add-fact: edps2.sookmyung.ac.kr|chargen|a|x||||offers chargen
   Add-fact: edps2.sookmyung.ac.kr|time|a|x||||offers time
   Add-fact: edps2.sookmyung.ac.kr|name|a|x||||offers name
   Add-fact: edps2.sookmyung.ac.kr|tftp|a|x||||offers tftp
   Add-fact: edps2.sookmyung.ac.kr|biff|a|x||||offers biff
   Add-fact: edps2.sookmyung.ac.kr|syslog|a|x||||offers syslog
   Add-fact: edps2.sookmyung.ac.kr|talk|a|x||||offers talk
   Add-fact: edps2.sookmyung.ac.kr|657:UDP|a|x||||offers 657:UDP
   Add-fact: edps2.sookmyung.ac.kr|698:UDP|a|x||||offers 698:UDP
   ....
   Add-fact: edps2.sookmyung.ac.kr|1040:UDP|a|x||||offers 1040:UDP
   Add-fact: edps2.sookmyung.ac.kr|nfsd|a|x||||offers nfsd
   Add-fact: edps2.sookmyung.ac.kr|dns|a|host
   	|edps2.sookmyung.ac.kr|ns.kren.nm.kr||authoritative DNS host
   Add-fact: edps2.sookmyung.ac.kr|dns|a|host
   	|edps2.sookmyung.ac.kr|egret.sookmyung.ac.kr||authoritative DNS host
   Add-fact: edps2.sookmyung.ac.kr|dns|a|host
   	|edps2.sookmyung.ac.kr|ns.kreonet.re.kr||authoritative DNS host
   Add-fact: edps2.sookmyung.ac.kr|rusersd|a|x||||runs rusersd
   Add-fact: edps2.sookmyung.ac.kr|nfs|a|x||||runs NFS
   Add-fact: edps2.sookmyung.ac.kr|mountd|a|x||||runs NFS
   Add-fact: edps2.sookmyung.ac.kr|tftp|a|nr
   	|nobody@edps2.sookmyung.ac.kr|ANY@ANY
   	|TFTP file access|tftp file read
   Add-fact: edps2.sookmyung.ac.kr|tftp|a|nw
   	|nobody@edps2.sookmyung.ac.kr|ANY@ANY
   	|TFTP file access|tftp file write
   Add-fact: edps2.sookmyung.ac.kr|ftp|a|||||offers no anon ftp
   Add-fact: edps2.sookmyung.ac.kr|showmount|u|x
   	|/var/spool/pcnfs/pc_rhee2@edps2.sookmyung.ac.kr
   	|root@pc_rhee2|edps2.sookmyung.ac.kr pc_rhee2
   	|pc_rhee2 mounts /var/spool/pcnfs/pc_rhee2 from 
   	edps2.sookmyung.ac.kr, 
   	but we can't verify that pc_rhee2 exists
   Add-fact: edps2.sookmyung.ac.kr|nfs-chk|a|x
   	|/usr1@edps2.sookmyung.ac.kr|ANY@cs.sookmyung.ac.kr
   	|NFS export to unprivileged programs
   	|exports /usr1 to unprivileged programs
   Add-fact: edps2.sookmyung.ac.kr|nfs-chk|a|x
   	|/usr@edps2.sookmyung.ac.kr|ANY@cs.sookmyung.ac.kr
   	|NFS export to unprivileged programs
   	|exports /usr to unprivileged programs
   ....
   

3. Sample scan with target system SunOS 4.1.3 using SATAN with Netscape interface
   • Initial Page (Control Panel)
   • Data Management
   • Data Management after DB creation
   • Back to Control Panel
   • Target Selection
   • Scanning
   • Reporting and Analysis of Scan Results
   • Vulnerabilities (a sample)
   • Vulnerability details
   • A related page from admin_guide_to_cracking

4. /var/adm/messages of the scanned system shows the trace.

   ....
   Nov 10 21:34:17 SamsHack ps[265]: connect from pm7-6.pacificnet.net
   Nov 10 21:34:17 SamsHack netstat[266]: connect from pm7-6.pacificnet.net
   Nov 10 21:34:17 SamsHack wu.ftpd[268]: connect from pm7-6.pacificnet.net
   Nov 10 21:34:22 SamsHack ftpd[268]: FTP session closed
   Nov 10 21:34:22 SamsHack in.telnetd[269]: connect from pm7-6.pacificnet.net
   Nov 10 21:34:23 SamsHack in.fingerd[271]: connect from pm7-6.pacificnet.net
   Nov 10 21:34:23 SamsHack uucico[275]: connect from pm7-6.pacificnet.net
   Nov 10 21:34:23 SamsHack in.pop3d[276]: connect from pm7-6.pacificnet.net
   Nov 10 21:34:23 SamsHack in.rlogind[277]: connect from pm7-6.pacificnet.net
   Nov 10 21:34:23 SamsHack in.rshd[278]: connect from pm7-6.pacificnet.net
   Nov 10 21:34:23 SamsHack in.nntpd[279]: connect from pm7-6.pacificnet.net
   Nov 10 21:34:28 SamsHack telnetd[269]: ttloop:  read: Broken pipe
   Nov 10 21:34:28 SamsHack nntpd[279]: pm7-6.pacificnet.net connect
   Nov 10 21:34:28 SamsHack nntpd[279]: pm7-6.pacificnet.net refused connection
   Nov 10 21:34:33 SamsHack rlogind[277]: Connection from 207.171.17.199 on illegal port
   ....