Re: analysis of auditable port scanning techniques

[John Ladwig <jladwig () ARAVOX COM>]

> > > > > On Thu, 4 Jan 2001 20:32:01 -0800, Dan Harkless <dan-bugtraq () DILVISH SPEED NET> said:

    Dan> Guido Bakker <guidob () sentia nl> writes:
    >> 1.2.1 - reverse ident scanning
    >>
    >> This technique involves issuing a response to the ident/auth
    >> daemon, usually port 113 to query the service for the owner of
    >> the running process.  The main reason behind this is to find
    >> daemons running as root, obviously this result would entice an
    >> intruder to find a vulnerable overflow and instigate other
    >> suspicious activities involving this port. Alternatively, a
    >> daemon running as user nobody (httpd) may not be as attractive
    >> to a user because of limited access privileges. Unknowing to
    >> most users is that identd could release miscellaneous private
    >> information such as:
    >>
    >> * user info
    >> * entities
    >> * objects
    >> * processes

This would be one of the reasons behind the DES support (see the
INSTALL file) in pidentd:

    Dec 30 11:19:26 host sshd[4211]: log: fwd X11 connect from
        [OOqt/GTQR5iaK/Ceu6vtwpZVOX0P1yr9]@server.example.com

The above []-delimited blob is DES-encrypted, and can be decoded by
the admin of the system which was running identd.

    # cat '[OOqt/GTQR5iaK/Ceu6vtwpZVOX0P1yr9]' | idecrypt
    Wed Dec 30 11:19:26 2000 107 172.23.1.1 5918 172.23.9.42 6001

Since ident provides information useful to the admin of the device on
which ident runs, this is sufficient.

Unfortunately, most vendor or distribution implementations of identd
do not use this functionality.

    -jml    *the above won't decode correctly, so don't bother
             fishing for my key*