|
|
| Previous | Table of Contents | Next |
telnetd Information
The quickest way to identify the OS type is by attempting to telnet to the systems. The telnetd provides back a banner line containing this information:
% telnet sys4.notreal.com Trying… Connected to sys4.notreal.com. Escape character is ‘^]’. HP-UX sys4 A.09.04 U 9000/847 (ttyp4) login:
This system is an HP-UX 9.04 OS running on an HP 9000 Series 847.
The banner lines from the telnetd prompt of other systems in notreal.com’s domain are summarized here:
sys3.notreal.com Digital UNIX (sys3) (ttyp1)
This system indicates that the manufacturer is Digital but does not indicate the OS type (Ultrix, OSF/1), version, or hardware platform.
dns1.notreal.com UNIX(r) System V Release 4.0 (dns1)
This system offers very little information. No assumptions can be made of the OS type. It happens to come from a Solaris 2.x system, but this banner is no guarantee that the remote system is indeed a Solaris 2.x box.
m3.notreal.com IRIX System V.4 (hpcsecf)
This is clearly an SGI IRIX system.
Note: While the hacker is telneting to the SGI system, he will try to log in with the account names that, by default, have no passwords on SGI systems. These account names are guest, lp, demos, nuucp, root, tour, tutor, and 4Dgifs. (Actually, many Unix systems still use the guest login with a guest password.)
m4.notreal.com SunOS UNIX (m4)
This is quite clearly the Sun OS system. It probably is a Sun OS 4.x, but no further details can be assumed.
sys3.notreal.com AIX Version 4 (c)Copyrights by IBM and by others 1982, 1994.
This quite clearly is an IBM AIX 4.0.
Note: Even though the banners from telnetd given earlier may be accurate today, patches and new OS releases may change the content of the information. A true intruder would first try to build up a database of all possible telnetd banners from as many systems as possible, to characterize all the possible OS sources of a particular banner. This is also true for the upcoming ftpd and sendmail banners. SATAN uses the banner information to quickly identify systems.
Note that a hacker can use a packet sniffer to watch users type their password when logging in using telnet. If users ever telnet to your system across the Internet, have them change their password as soon as they return to the internal company system. Otherwise, consider using kerberized telnet, sslized telnet, secure shell (ssh), or one-time passwords. This is also the case for rlogin, rexec, and FTP.
Also, some telnetdaemons permit the user to pass environment variables to the remote system login program. Some variables can be quite dangerous to pass in. Review which variables are acceptable to you, and be sure that your telnetd filters the appropriate ones. See the CERT advisory on telnetd for more information (CERT CA:95-14).
ftpd Information
The ftpd server gives version information in the opening line of its dialog with a client. It also allows an unauthorized user to sometimes issue commands, such as system, help, and others.
The hacker tests whether anonymous FTP is available by trying to log in using ftp or anonymous. If it is available, the hacker then tries to exploit possible problems with ftpd. While on the system, the hacker downloads every file that is readable, especially the ~f7ftp/etc/passwd file. Anonymous FTP is useful in helping the intruder build up a database of information on the target system. SATAN gets version information from ftpd and checks if anonymous FTP is available.
% ftp m2.notreal.com Connected to m2.notreal.com. 220 m2 FTP server (Digital UNIX Version 5.60) ready. Name (m2:intruder): ftp 331 Guest login ok, send ident as password. Password: 230 Guest login ok, access restrictions apply. Remote system type is UNIX. Using binary mode to transfer files. ftp> system 215 UNIX Type: L8 Version: OSF/1 ftp> help
Notice that ftpd will respond to the help command with a list of supported commands on this system. Many Internet services, such as ftpd or sendmail, offer help in response to a help command. Gathering information on what functionality is available from remote services is the goal, and the help command is useful in achieving this goal. The following shows a list of commands offered by the preceding ftpd:
! delete mget quit status $ dir mkdir quote struct account disconnect mls recv sunique append form mode reget system ascii get modtime rename tenex bell glob mput reset trace binary hash newer restart type bye help nlist rhelp umask case idle nmap rmdir user cd image ntrans rstatus verbose cdup lcd open runique ? chmod ls prompt send close macdef proxy sendport cr mdelete put site debug mdir pwd size
The m2 is a Digital Unix system, running OSF/1. The ftpd on Ultrix gives back a similar message but actually says Ultrix. The help command provides the hacker with a number of useful tidbits: the site command is available, as are proxy, quote, system, sendport, and other useful commands. Most ftpd binaries offer a similar list of supported commands in response to a help request.
% ftp dns1.notreal.com Connected to dns1.notreal.com. 220 dns1 FTP server (UNIX(r) System V Release 4.0) ready. Name (dns1:intruder): ftp 530 User ftp unknown. Login failed. ftp> system 500 ‘SYST’: command not understood. ftp>
The hacker gets no information from the ftp prompt and no information from the system prompt. The preceding prompt came from a Solaris 2.4 system, but such a prompt is no guarantee that the system is a Solaris 2.4 system. For the sake of brevity, the subsequent ftp transactions have been edited to remove redundant information such as username and password prompts.
% ftp m3.notreal.com Connected to m3.notreal.com. 220 m3 FTP server ready. ftp> system 215 UNIX Type: L8 Version: SVR4
| Previous | Table of Contents | Next |