Bugtraq mailing list archives

Re: analysis of auditable port scanning techniques

From: Dan Harkless <dan-bugtraq () DILVISH SPEED NET>
Date: Sat, 6 Jan 2001 02:43:57 -0800

Rainer Weikusat <weikusat () mail uni-mainz de> writes:

Dan Harkless <dan-bugtraq () DILVISH SPEED NET> writes:

Using this grammar applied to the data we send to an arbitrary host piped
to the ident/auth port will reveal the process owner running on a given
port, even though we initiated the connection.


Uh, no.  With properly-written ident daemons, such as pidentd,

-------------
#!/bin/bash
#

if [ "$1" != sub ];
then
    export HOST=$(host $1 | awk '{ print $3; }')
    declare -i I=1
    export PPPID=$$

    while [ $I -lt 1024 ];
    do
      (
          export I
          socket -r -p "$0 sub" $HOST $I 2>/dev/null
       )

        I=$(($I + 1))
    done
else
   LOCAL=$(netstat -n | grep ":.\+$HOST:$I.\+EST"|awk '{print $4;}'| cut -d: -f2)
   echo "$I,$LOCAL" | nc -w 1 $HOST auth >/proc/$PPPID/fd/1
   kill $PPID
fi
-------------

Just hacked up. Works wonderfully against pidentd 3.0.7-3 (Debian).


Thanks to those who corrected me on this.  I did test my understanding
before posting, and I couldn't get my pidentd to respond for connections
that didn't originate on its machine, but obviously I was doing something
wrong (not sure what).  A re-test just now reveals that indeed it will
respond correctly for connections not originating on the machine it's
running on.

Well, there's a feature request for auth/ident/tap daemons running on OSes
(if any) that can distinguish after-the-fact between connections that
originated locally and those that originated remotely.  Assuming that
doesn't break RFCs 931 / 1413, of course (I'd re-read them right now to
check, if I had the time)...

----------------------------------------------------------------------
Dan Harkless                   | To prevent SPAM contamination, please
dan-bugtraq () dilvish speed net  | do not mention this private email
SpeedGate Communications, Inc. | address in Usenet posts.  Thank you.

Current thread:

analysis of auditable port scanning techniques Guido Bakker (Jan 04)
- Re: analysis of auditable port scanning techniques Guido Bakker (Jan 05)
- Re: analysis of auditable port scanning techniques Dan Harkless (Jan 05)
  - Re: analysis of auditable port scanning techniques Rainer Weikusat (Jan 08)
    - Re: analysis of auditable port scanning techniques Dan Harkless (Jan 08)
    - Re: analysis of auditable port scanning techniques Henrik Nordstrom (Jan 09)
    - Message not available
    - Message not available
    - Re: analysis of auditable port scanning techniques D. J. Bernstein (Jan 16)
  - Re: analysis of auditable port scanning techniques John Ladwig (Jan 08)
- <Possible follow-ups>
- Re: analysis of auditable port scanning techniques dethy (Jan 08)
  - Re: analysis of auditable port scanning techniques Michael Bacarella (Jan 08)
- Re: analysis of auditable port scanning techniques Michael S Soukup (Jan 08)