[ Pobierz całość w formacie PDF ]
.By finding the UID of the process,misconfigurations can be quickly identified.For example, examine this output.Seasonedsecurity professionals will know that line 12 of the scan shows a serious misconfiguration.Port 80 is running a service as root.It happens that it is running HTTPD.This isa security problem because any attacker who exploits weaknesses in your CGI can runhis or her processes as root as well.I have tried many scanners.IdentTCPscan is extremely fast and as such, it isa powerful and incisive tool (a favorite of crackers).The utility works equallywell on a variety of platforms, including Linux, BSDI, and SunOS.It generally comesas a compressed file containing the source code.It is written in C and is very compact.It also requires minimal network resources to run.It will build without event usingmost any C compiler.Cross Reference: Obtain a copy of IdentTCPscan,written by David Goldsmith (released February 11, 1996), at http://www.giga.or.at/pub/hacker/unix.CONNECTCONNECT is a bin/sh script.Its purpose is to scan subnets for TFTP servers.(As you might surmise, these are difficult to find.TFTP is almost always disabledthese days.) This scanner scans trailing IP addresses recursively.For this reason,you should send the process into the background (or go get yourself a beer, havesome lunch, play some golf).This scanner is of relatively little importance because TFTP is a lame protocol.There isn't much to gain.(Although, if the sysad at that location is negligent,you might be able to obtain the /etc/passwd file.Don't count on it, however.These days, the odds of finding both an open TFTP server and a non-shadowed passwdfile on the same machine are practically nil.)Cross Reference: The documentation ofCONNECT is written by Joe Hentzel; according to Hentzel, the script's author is anonymous,and the release date is unknown.Obtain a copy at http://www.giga.or.at/pub/hacker/unix/.FSPScanFSPScan scans for FSP servers.FSP stands for File Service Protocol, an Internetprotocol much like FTP.It provides for anonymous file transfers and reportedly hasprotection against network overloading (for example, FSP never forks).Perhaps themost security-aware feature of FSP is that it logs the incoming user's hostname.This is considered superior to FTP, which requests the user's e-mail address (which,in effect, is no logging at all).FSP was popular enough, now sporting GUI clientsfor Windows and OS/2.What's extraordinary about FSPScan is that it was written by one of the co-authorsof FSP! But then, who better to write such a utility?Cross Reference: Obtain a copy of FSPScan,written by Wen-King Su (released in 1991), at http://www.giga.or.at/pub/hacker/unix.XSCANXSCAN scans a subnet (or host) for X server vulnerabilities.At first glance,this doesn't seem particularly important.After all, most other scanners do the same.However, XSCAN includes an additional functionality: If it locates a vulnerable target,it immediately starts logging the keystrokes at that terminal.Other amenities of XSCAN include the capability to scan multiple hosts in thesame scan.These can be entered on the command line as arguments.(And you can specifyboth hosts and subnets in a kind of mix-and-match implementation.) The source forthis utility is included on the CD-ROM that accompanies this book.Cross Reference: Obtain a copy of XSCAN(release unknown) at http://www.giga.or.at/pub/hacker/unix.Our Sample ScanOur sample scan will be generated using a product called SAFEsuite.Many of youmight be familiar with this product, which was developed by Internet Security Systems.ISS is extremely well known on the Net for a product called ISS.This product(the Internet Security Scanner) was among the first automated scanners to sell commercially.From ISS to SAFEsuiteThe first release of ISS stirred some controversy.Many people felt that releasingsuch a tool free to the Internet community would jeopardize the network's alreadyfragile security.(The reaction to Dan Farmer's SATAN was very similar.) After all,why release a product that automatically detects weaknesses in a remote target?In the manual pages for ISS, the author (Christopher Klaus) addressed this issueby writing:.To provide this to the public or at least to the security-conscious crowdmay cause people to think that it is too dangerous for the public, but many of the(cr/h)ackers are already aware of these security holes and know how to exploit them.These security holes are not deep in some OS routines, but standard misconfigurationsthat many domains on Internet tend to show.Many of these holes are warned aboutin CERT and CIAC advisories.In early distributions of ISS, the source code for the program was included inthe package.(This sometimes came as a shar or shell archive file and sometimes not.)For those interested in examining the components that make a successful and effectivescanner, the full source for the older ISS is included on the CD-ROM that accompaniesthis book.ISS has the distinction of being one of the mainstays of Internet security.Itcan now be found at thousands of sites in various forms and versions.It is a favoriteof hackers and crackers alike, being lightweight and easy to compile on almost anyUNIX-based platform.Since the original release of ISS, the utility has become incrediblypopular.The development team at ISS has carried this tradition of small, portablesecurity products onward, and SAFEsuite is its latest effort.It is a dramatic improvementover earlier versions.SAFEsuite consists of several scanners:The intranet scannerThe Web scannerThe firewall scannerSAFEsuite is similar to SATAN in that the configuration, management, implementation,and general use of the program can be done in a GUI environment
[ Pobierz całość w formacie PDF ]