A scanner is a program that automatically detects security weaknesses in a remote or local host.
Scanners are programs that attack TCP/IP ports and services (Telnet, FTP, ...) and record the response from the target. In this way, they glean valuable information about the target host (for instance, can an anonymous user log in?).
A scanner might reveal certain inherent weaknesses within the target host. Interpretation of data is usually user's responsibility.
(?) Do not use it against unauthorized hosts.
Scanners are important to Internet security because they reveal weaknesses in the network. This information will eventually strengthen Internet security.
Scanner's strengths are in the fact that they are fast, versatile, and accurate. More importantly, they are freely available on the Internet.
Resource | Location |
Firewalls mailing list | Firewalls@GreatCircle.COM |
Sneakers mailing list | Sneakers@CS.Yale.EDU |
The WWW security list | WWW-security@ns2.rutgers.edu |
The NT security list | Ntsecurity@ISS |
Bugtraq | BUGTRAQ@NETSPACE.ORG |
Joining a list: Just send an e-mail message to a special address such as majordomo@greatcircle.com. This address accepts commands from your first line of the e-mail message.In most cases, that command is as simple as subscribe. In other cases, you may be required to add the name of the list. For example, the Firewalls mailing list at GreatCircle.com requires that you send subscribe firewalls as the first line of your e-mail.
In essence, scanners operate much like war dialers with two exceptions:
The primary attributes of a scanner are
- The capability to find a machine or network
- The capability, once having found a machine, to find out what services are being run on the host
- The capability to test those services for known holes
The process with SGI machine as an example
- A Hole Is Discovered
In late 1995, Silicon Graphics (SGI) shipped a large number of WebForce models, running IRIX, a proprietary form of UNIX. Certain versions of IRIX retained a default login for the line printer. That is, if a user initiated a Telnet session to one of these SGI boxes and logged in as lp, no password would be required.
- Looking for WebForce Models
The next step would be to login as lp and then obtain /etc/passwd to find more login accounts.
- Search engines for "EzSetup: + root: + lp:" could be employed for a time
Many of these machines retained world-readable FTP directories, visible to search engines across the Internet and the FTP directories contained /etc/passwd files.
- Many SGI host names included words: Graphics, Art, Indy, Indigo. Those machine names can be obtained by the UNIX command:
whois word
- Using Scanners to Uncover WebForce Models
All it needed to do was check each address for a Telnet connection. For each successful connection, the scanner would capture the resulting text. Thus, a typical entry might look something like this:Trying 199.200.0.0 Connected to 199.200.0.0 Escape Character is "]" IRIX 4.1 Welcome to Graphics Town! Login:Defense: Edit the line
lp::4:7:lp:/var/spool/lpd:in the file /etc/passwd intolp:*:4:7:lp:/var/spool/lpd:
Some of these are not standard UNIX commands.
EXAMPLE: host -l -v -t any bu.edu
.... bu.edu 86400 IN HINFO SUN-SPARCSTATION-10/41 UNIX PPP-77-25.bu.edu 86400 IN A 128.197.7.237 PPP-77-25.bu.edu 86400 IN HINFO PPP-HOST PPP-SW PPP-77-26.bu.edu 86400 IN A 128.197.7.238 PPP-77-26.bu.edu 86400 IN HINFO PPP-HOST PPP-SW ODIE.bu.edu 86400 IN A 128.197.10.52 ODIE.bu.edu 86400 IN MX 10 CS.BU.EDU ODIE.bu.edu 86400 IN HINFO DEC-ALPHA-3000/300LX OSF1 STRAUSS.bu.edu 86400 IN HINFO PC-PENTIUM DOS/WINDOWS BURULLUS.bu.edu 86400 IN HINFO SUN-3/50 UNIX (Ouch) GEORGETOWN.bu.edu 86400 IN HINFO MACINTOSH MAC-OS CHEEZWIZ.bu.edu 86400 IN HINFO SGI-INDIGO-2 UNIX POLLUX.bu.edu 86400 IN HINFO SUN-4/20-SPARCSTATION-SLC UNIX SFA109-PC201.bu.edu 86400 IN HINFO PC MS-DOS/WINDOWS UH-PC002-CT.bu.edu 86400 IN HINFO PC-CLONE MS-DOS SOFTWARE.bu.edu 86400 IN HINFO SUN-SPARCSTATION-10/30 UNIX CABMAC.bu.edu 86400 IN HINFO MACINTOSH MAC-OS VIDUAL.bu.edu 86400 IN HINFO SGI-INDY IRIX KIOSK-GB.bu.edu 86400 IN HINFO GATORBOX GATORWARE CLARINET.bu.edu 86400 IN HINFO VISUAL-X-19-TURBO X-SERVER DUNCAN.bu.edu 86400 IN HINFO DEC-ALPHA-3000/400 OSF1 MILHOUSE.bu.edu 86400 IN HINFO VAXSTATION-II/GPX UNIX PSY81-PC150.bu.edu 86400 IN HINFO PC WINDOWS-95 BUPHYC.bu.edu 86400 IN HINFO VAX-4000/300 OpenVMS ....
1 193.49.144.224 (193.49.144.224) 3 ms 2 ms 2 ms 2 gw-ft.net.univ-angers.fr (193.49.161.1) 3 ms 3 ms 3 ms 3 angers.or-pl.ft.net (193.55.153.41) 5 ms 5 ms 5 ms 4 nantes1.or-pl.ft.net (193.55.153.9) 13 ms 10 ms 10 ms 5 stamand1.renater.ft.net (192.93.43.129) 25 ms 44 ms 67 ms 6 rbs1.renater.ft.net (192.93.43.186) 45 ms 30 ms 24 ms 7 raspail-ip2.eurogate.net (194.206.207.18) 51 ms 50 ms 58 8 raspail-ip.eurogate.net (194.206.207.58) 288 ms311 ms 287 ms 9 * Reston.eurogate.net (194.206.207.5) 479 ms 469 ms 10 gsl-sl-dc-fddi.gsl.net (204.59.144.199) 486 ms 490 ms 489 ms 11 sl-dc-8-F/T.sprintlink.net (198.67.0.8) 475 ms * 479 ms 12 sl-mae-e-H3/0-T3.sprintlink.net (144.228.10.42)498 ms 478 ms 13 mae-east.agis.net (192.41.177.145) 391 ms 456 ms 444 ms 14 h0-0.losangeles1.agis.net (204.130.243.45)714 ms 556 ms714 ms 15 pbi10.losangeles.agis.net (206.62.12.10) 554 ms 543 ms 505 ms 16 lsan03-agis1.pbi.net (206.13.29.2) 536 ms 560 ms * 17 * * * 18 pm1.pacificnet.net (207.171.0.51) 556 ms 560 ms 561 ms 19 pm1-24.pacificnet.net (207.171.17.25) 687 ms 677 ms 714 msFrom this, it is clear that the target host is located in Los Angeles, California:
EXAMPLE: finger -l @cs
[cs.sookmyung.ac.kr] Login name: root In real life: Super-User Directory: / Shell: /bin/csh On since Aug 13 11:26:33 on console from :0 3 hours 34 minutes Idle Time Mail last read Wed Aug 12 21:22:42 1998 No Plan. Login name: sanglee In real life: Lee ???? ??? Directory: /user/faculty/sanglee Shell: /bin/csh On since Aug 14 09:31:54 on pts/1 from sanglee1.sookmyung.ac.kr 3 hours 46 minutes Idle Time No unread mail No Plan. Login name: rhee In real life: Gwangsoo Rhee Directory: /user/faculty/rhee Shell: /bin/csh On since Aug 14 21:22:50 on pts/2 from edps2 2 minutes 16 seconds Idle Time Mail last read Fri Aug 14 10:35:43 1998 No Plan.
Login name: u96205xx Directory: /user2/undergrad/u96205xx Shell: /bin/csh On since Aug 14 21:02:10 on pts/3 from 210.120.14.133 No unread mail Plan: to earn an enjoyable, homest living. Login name: shyoon In real life: Yoon ??? ??? Directory: /user3/grad/shyoon Shell: /bin/csh On since Aug 14 13:45:56 on pts/7 from 203.252.195.210 7 hours 31 minutes Idle Time Mail last read Fri Aug 14 13:45:58 1998 No Plan.Initially, this information might not seem valuable. However, it is often through these techniques that you can positively identify a user. For example, certain portions of the Internet offer varying degrees of anonymity. Internet Relay Chat (IRC) is one such system. A person connecting with a UNIX-based system can effectively obscure his or her identity on IRC but cannot easily obscure the IP address of the machine in use. Through sustained use of the finger commands, you can pin down who that user really is.
NSS (Network Security scanner) is a very obscure scanner.
The basic value of NSS is its speed. It is extremely fast. Routine
checks that it can perform include the following:
Jakal is a stealth scanner. That is, it will scan a domain (behind a firewall) without leaving any trace of the scan.
IdentTCPscan has the added functionality of picking out the owner of a given TCP port process.
Port: 7 Service: (?) Userid: root Port: 9 Service: (?) Userid: root .... Port: 80 Service: (?) Userid: root .... Port: 6000 Service: (?) Userid: rootBy finding the UID of the process, misconfigurations can be quickly identified. The above output shows that shows a serious misconfiguration. Port 80 is running a service as root. It happens that it is running HTTPD. This is a security problem because any attacker who exploits weaknesses in your CGI can run his or her processes as root as well.
CONNECT is a bin/sh script. Its purpose is to scan subnets for TFTP servers. (These are difficult to find. TFTP is almost always disabled these days.)
Internet Scanner and System Scanner have complimentary scanning and detection capabilities. Internet Scanner tests vulnerabilities visible from the network. It cannot see local buffer overflows, insecure service executions, improper file ownerships and permissions, user account problems, potential exploits in system integrity or patch histories. Most importantly, it does not fingerprint individual systems, so it can not tell if a host or workstation has been hacked.
System Scanner works exclusively at the host or workstation level. It sees localized vulnerabilities, as well as registers unauthorized or unwise alterations to underlying operating systems. Taken together, Internet Scanner and System Security Scanner test for more potential vulnerabilities and provide more risk assessment information than any other combination of products.
# Rlogin Binding to Port # Connected to Rlogin Port # Trying to gain access via Rlogin 127.0.0.1: ---- rlogin begin output ---- 127.0.0.1: ---- rlogin end output ---- # Rlogin check complete, not vulnerable.
# Time Stamp(555): Rsh check: (848027962) Thu Nov 14 19:19:22 # Checking Rsh For Vulnerabilities # Rsh Shell Binding to Port # Sending command to Rsh 127.0.0.1: bin/bin logged in to rsh 127.0.0.1: Files grabbed from rsh into `./127.0.0.1.rsh.files' 127.0.0.1: Rsh vulnerable in hosts.equiv # Completed Checking Rsh for Vulnerability/etc/passwd was grabbed and saved into a file called 127.0.0.1.rsh.files.
127.0.0.1: ---- FTP version begin output ---- SamsHack FTP server (Version wu-2.4(1) Tue Aug 8 15:50:43 CDT 1995) ready. 127.0.0.1: ---- FTP version end output ---- 127.0.0.1: Please login with USER and PASS. 127.0.0.1: Guest login ok, send your complete e-mail address as password. 127.0.0.1: Please login with USER and PASS. 127.0.0.1: ANONYMOUS FTP ALLOWED 127.0.0.1: Guest login ok, access restrictions apply. 127.0.0.1: "/" is current directory. 127.0.0.1: iss.test: Permission denied. 127.0.0.1: iss.test: Permission denied. (Delete) 127.0.0.1: Entering Passive Mode (127,0,0,1,4,217) 127.0.0.1: Opening ASCII mode data connection for /bin/ls. 127.0.0.1: Transfer complete. 127.0.0.1: Entering Passive Mode (127,0,0,1,4,219) 127.0.0.1: Opening ASCII mode data connection for /etc/passwd (532 bytes). 127.0.0.1: Transfer complete. 127.0.0.1: Files grabbed via FTP into ./127.0.0.1.anonftp.files 127.0.0.1: Goodbye.
process_targets: probe edps2.sookmyung.ac.kr... Add-fact: edps2.sookmyung.ac.kr|time|a|x |||\185~S\026|offers time Add-fact: edps2.sookmyung.ac.kr|finger|a|x |||ld.so: libc.so.102: not found\n|offers finger Add-fact: edps2.sookmyung.ac.kr|ftp|a|x |||220 edps2 FTP server (SunOS 4.1) ready.\r\n 221 Goodbye.\r\n|offers ftp Add-fact: edps2.sookmyung.ac.kr|login|a|x||||offers login Add-fact: edps2.sookmyung.ac.kr|shell|a|x||||offers shell Add-fact: edps2.sookmyung.ac.kr|uucp|a|x |||login: Password: Login incorrect.|offers uucp Add-fact: edps2.sookmyung.ac.kr|echo|a|x|||QUIT\r\n|offers echo Add-fact: edps2.sookmyung.ac.kr|telnet|a|x |||\r\n\r\nSunOS UNIX (edps2)\r\n\r\000\r\n\r\000 login: |offers telnet Add-fact: edps2.sookmyung.ac.kr|chargen|a|x||| !"#$%&.... Add-fact: edps2.sookmyung.ac.kr|discard|a|x||||offers discard Add-fact: edps2.sookmyung.ac.kr|sunrpc|a|x||||offers sunrpc Add-fact: edps2.sookmyung.ac.kr|exec|a|x||||offers exec Add-fact: edps2.sookmyung.ac.kr|701:TCP|a|x||||offers 701:TCP Add-fact: edps2.sookmyung.ac.kr|710:TCP|a|x||||offers 710:TCP .... Add-fact: edps2.sookmyung.ac.kr|1024:TCP|a|x||||offers 1024:TCP Add-fact: edps2.sookmyung.ac.kr|echo|a|x||||offers echo Add-fact: edps2.sookmyung.ac.kr|daytime|a|x||||offers daytime Add-fact: edps2.sookmyung.ac.kr|chargen|a|x||||offers chargen Add-fact: edps2.sookmyung.ac.kr|time|a|x||||offers time Add-fact: edps2.sookmyung.ac.kr|name|a|x||||offers name Add-fact: edps2.sookmyung.ac.kr|tftp|a|x||||offers tftp Add-fact: edps2.sookmyung.ac.kr|biff|a|x||||offers biff Add-fact: edps2.sookmyung.ac.kr|syslog|a|x||||offers syslog Add-fact: edps2.sookmyung.ac.kr|talk|a|x||||offers talk Add-fact: edps2.sookmyung.ac.kr|657:UDP|a|x||||offers 657:UDP Add-fact: edps2.sookmyung.ac.kr|698:UDP|a|x||||offers 698:UDP .... Add-fact: edps2.sookmyung.ac.kr|1040:UDP|a|x||||offers 1040:UDP Add-fact: edps2.sookmyung.ac.kr|nfsd|a|x||||offers nfsd Add-fact: edps2.sookmyung.ac.kr|dns|a|host |edps2.sookmyung.ac.kr|ns.kren.nm.kr||authoritative DNS host Add-fact: edps2.sookmyung.ac.kr|dns|a|host |edps2.sookmyung.ac.kr|egret.sookmyung.ac.kr||authoritative DNS host Add-fact: edps2.sookmyung.ac.kr|dns|a|host |edps2.sookmyung.ac.kr|ns.kreonet.re.kr||authoritative DNS host Add-fact: edps2.sookmyung.ac.kr|rusersd|a|x||||runs rusersd Add-fact: edps2.sookmyung.ac.kr|nfs|a|x||||runs NFS Add-fact: edps2.sookmyung.ac.kr|mountd|a|x||||runs NFS Add-fact: edps2.sookmyung.ac.kr|tftp|a|nr |nobody@edps2.sookmyung.ac.kr|ANY@ANY |TFTP file access|tftp file read Add-fact: edps2.sookmyung.ac.kr|tftp|a|nw |nobody@edps2.sookmyung.ac.kr|ANY@ANY |TFTP file access|tftp file write Add-fact: edps2.sookmyung.ac.kr|ftp|a|||||offers no anon ftp Add-fact: edps2.sookmyung.ac.kr|showmount|u|x |/var/spool/pcnfs/pc_rhee2@edps2.sookmyung.ac.kr |root@pc_rhee2|edps2.sookmyung.ac.kr pc_rhee2 |pc_rhee2 mounts /var/spool/pcnfs/pc_rhee2 from edps2.sookmyung.ac.kr, but we can't verify that pc_rhee2 exists Add-fact: edps2.sookmyung.ac.kr|nfs-chk|a|x |/usr1@edps2.sookmyung.ac.kr|ANY@cs.sookmyung.ac.kr |NFS export to unprivileged programs |exports /usr1 to unprivileged programs Add-fact: edps2.sookmyung.ac.kr|nfs-chk|a|x |/usr@edps2.sookmyung.ac.kr|ANY@cs.sookmyung.ac.kr |NFS export to unprivileged programs |exports /usr to unprivileged programs ....
.... Nov 10 21:34:17 SamsHack ps[265]: connect from pm7-6.pacificnet.net Nov 10 21:34:17 SamsHack netstat[266]: connect from pm7-6.pacificnet.net Nov 10 21:34:17 SamsHack wu.ftpd[268]: connect from pm7-6.pacificnet.net Nov 10 21:34:22 SamsHack ftpd[268]: FTP session closed Nov 10 21:34:22 SamsHack in.telnetd[269]: connect from pm7-6.pacificnet.net Nov 10 21:34:23 SamsHack in.fingerd[271]: connect from pm7-6.pacificnet.net Nov 10 21:34:23 SamsHack uucico[275]: connect from pm7-6.pacificnet.net Nov 10 21:34:23 SamsHack in.pop3d[276]: connect from pm7-6.pacificnet.net Nov 10 21:34:23 SamsHack in.rlogind[277]: connect from pm7-6.pacificnet.net Nov 10 21:34:23 SamsHack in.rshd[278]: connect from pm7-6.pacificnet.net Nov 10 21:34:23 SamsHack in.nntpd[279]: connect from pm7-6.pacificnet.net Nov 10 21:34:28 SamsHack telnetd[269]: ttloop: read: Broken pipe Nov 10 21:34:28 SamsHack nntpd[279]: pm7-6.pacificnet.net connect Nov 10 21:34:28 SamsHack nntpd[279]: pm7-6.pacificnet.net refused connection Nov 10 21:34:33 SamsHack rlogind[277]: Connection from 207.171.17.199 on illegal port ....