|
|
| Previous | Table of Contents | Next |
Packet Sniffing
Although packet sniffing is more closely related to the third phase of a network attack, and SATAN deals mainly with detecting first phase vulnerabilities, packet sniffing is still one of the most commonly used Internet attacks.
If a hacker can put a packet sniffer on major routes across the Internet, the hacker could use filtering rules to watch for connections going into or out of notreal.com. Then any connection for FTP, telnet, rlogin, or SMTP would permit the hacker to catch a password or other information. Capturing X authority information, NIS maps, or DNS maps can also be quite useful.
By widely distributing packet sniffers to many locations, perhaps by surreptitiously placing them onto sites with minimal security, the odds of catching such connections increase. Even if the hacker sees only a password for a user on an outgoing connection, a login/password combination is useful knowledge because most users use only a limited number of different passwords. In addition, cracking the account of that user on a remote system would perhaps permit the hacker to leverage that intrusion to gain access to notreal.com.
The tcpdump program is a packet sniffer that uses streams dlpi to monitor all traffic going across a system’s network interface. It could be used to provide an example of how to embed a packet sniffer into another program in a virus type format. This program could then be distributed, and when run on the unsuspecting victim’s system, it would capture information and retransmit it to the intruder’s system.
Note: tcpdump and libpcap are available from ftp://ftp.ee.lbl.gov/. These programs use the /dev/nit device or the streams dlpi interface to put the network interface into promiscuous mode. When tcpdump is run, it prints out the contents of each packet that passes by the network interface. Command-line filters allow tcpdump to just watch for mail, telnet, transfer to certain hosts, or other selection criteria. libpcap offers a library of routines that monitor LAN traffic. Not all network interfaces support the promiscuous mode, so check with your vendor first.
IP Layer Information
A hacker would like to know if the target systems permit IP source routing and IP forwarding. These two features can be quite useful. The traceroute program is a useful vehicle for this; using the -g option for loose source routing, or by modifying it for full source routing, the intruder can source route a packet to the target and attempt to get a reply. Unfortunately, SATAN does not scan for this functionality.
If the target system has a weak firewall implementation, such as something that does only application-level filtering, the hacker could try to get the transport layer to send a packet into the network by using IP forwarding.
A recent RFC, 1858, discusses a security vulnerability that could result from the fragmentation of IP packets occurring at breakpoints inside the TCP header. If a hacker is able to see such fragmentation occurring, by packet sniffing, the hacker can try to exploit it by intercepting the connection and spoofing portions of the TCP header. The hacker might even be able to cause such fragmentation on intermediate routers by heavily loading them down with traffic at the appropriate time.
X11 Information
An improperly configured X Windows server is a major vulnerability. If the user executes xhost +, that user has disable access control to the X Windows server, permitting any remote user to gain control over it. By using an XOpenDisplay() call to the target system, a hacker can identify if access controls permit a remote user to capture control over it. SATAN claims to include a program called opendisplay that does this; actually, SATAN uses xhost to determine this information. The SATAN reports indicate whether or not remote systems have X Windows access control.
rexd Information
If rexd is listed in the portmap services, the target system most likely permits execution of commands from any remote system by using the on command. An option to rexd can require the remote system to be listed in the hosts.equiv file, but this option is not the default. Even if the remote system hostname must be listed in hosts.equiv, the security is weak. A hacker can try to poison a DNS cache with face resource records to circumvent this security. Rexd is an inherently insecure service that has no place on a network with assets worth protecting. SATAN includes a scan for rexd.
SNMP Information
SNMP is a server that facilitates network management by permitting remote programs, such as HP’s OpenView Network Node Manager, to gather information about hosts and routers. This also permits a hacker to gather information about remote hosts and routers.
Each SNMP request includes a community name, which authenticates the access request to the snmpd program on the target. There are two kinds of requests:
The standard snmpd (both v1 and v2) distribution comes from CMU and includes many incredibly useful tools for gathering information about remote sites. SNMP applications are on ftp://ftp.net.cmu.edu/pub/snmp-dist/.
The three most useful applications are snmpget, snmpnetstat, and snmpwalk. A hacker can use snmpget to talk directly to the snmpd on the target system, requesting information and changing system variables (MIBs). The snmpnetstat utility can be used by a hacker to effectively run netstat on the remote system. Here is an example:
% snmpnetstat -v 1 sys2 public Active Internet Connections Proto Recv-Q Send-Q Local Address Foreign Address (state) tcp 0 0 sys2.notreal.com.telne m2.notreal.com.2409 ESTABLISHED tcp 0 0 sys2.notreal.com.telne m1.notreal.com.2895 ESTABLISHED …
The snmpwalk generates a printout of vast amounts of information about the remote system, much of it related to kernel transport status.
The only authentication done by snmp v1 is that the request requires knowledge of the remote community name, which is configured in the /etc/snmp.conf file. The default community name is public.
| Previous | Table of Contents | Next |