By default, remote users cannot alter MIB values but can read all MIB values. If the snmp.conf file has a set-community-name setting, remote managers can do SNMP SetRequests, permitting them to modify the local system’s MIB values. The remote user just needs to guess the community name. If the snmp.conf file has a get-community-name setting, the remote users must provide the community name before gaining access to MIB values.

Although SNMP v1 is useful for gaining system and routing information, the new SNMP v2 has adequate security to prevent most attacks. Even though v2 is available from the same source as v1, the vast majority of systems seem to support v1 or both v1 and v2. SATAN does scan for the presence of snmpd, but does not interrogate the server for information.

Other Weak Points

SATAN’s port scanning may reveal the presence of gopher, UUCP, talk, NTP, relay chat, and systat services. While major vulnerabilities in these services are not popularly known, their presence may be useful as new vulnerabilities are discovered. SATAN only scans for the presence of these services; SATAN does not attempt to gather more information or search for vulnerabilities in these services. Although UUCP used to be very helpful for attacking systems, its usage has dropped considerably. An interesting UUCP hole is one where many sendmail aliases included a uudecode alias that would automatically invoke the uudecode command on an incoming mail message.

Similarly, gopher’s popularity has declined dramatically as the popularity of the World Wide Web has gained. Most gopher services also provide access controls that can screen out undesired connections. Talk is still a useful attack point, because it permits a remote user to write to a user’s tty, perhaps invoking commands and actions. NTP can be used to modify a system’s time, but this is more a denial of service attack than a useful vulnerability. Relay chat is interesting, but it offers little for attack and will certainly waste your time. Relay chat can help you to build up a database of users and system names. Finally, systat is rarely seen but remains a great source of information when it is present.

Completion of the Manual Scan

At this point, the hacker has completed manually scanning the remote system for potential phase one vulnerabilities. This corresponds to the completion of a SATAN scan. Whereas the hacker took perhaps four hours to complete the above scans against a single host, SATAN could easily run the same scans against that host in seconds. In addition, SATAN would generate reports and databases of additional hosts to scan in the future. It is important for a system administrator to realize the manual approach to phase one attacks: SATAN only includes a subset of the possible scans, as mentioned throughout the preceding manual scan demonstration. A vigilant system administrator should consider adding additional scans to SATAN to cover all possible vulnerabilities.

Know the Code

The best way to know possible vulnerabilities is to study the code of Internet services. Most vendor code is based on publicly available source, from BSD, ATT, Sun, or private locations. Hackers get this source and study it for clues.

The Linux distributions are extremely helpful in understanding the operation of most programs. Even the latest and greatest code from vendors typically has comparable Linux source code. For example, NIS+ from Sun has a cousin in Linux called NYS. One popular Linux FTP site is ftp://sunsite.unc.edu.

The BSD44 distribution is available on CD-ROM from many bookstores now and is useful in understanding the transport layer implementation as well as many of the standard services, such as rlogin or inetd.

Some of the most popular private distributions follow:

•  sendmail: ftp://ftp.cs.berkeley.edu/pub/sendmail

•  bind: http://www.isc.org/isc/bind.html

•  wu-ftpd: ftp://wuarchive.wustl.edu/packages/wuarchive-ftpd

•  httpd: http://www.ncsa.uiuc.edu

•  firewall kit: http://www.tis.com

Try All Known Problems

Problems are not all fixed simultaneously. One vendor might fix one problem on one platform, but the other platforms from that vendor won’t be fixed until later, and platforms from other vendors won’t be fixed for quite some time later. So hackers reverse-engineer patches, search for security implications of those patches, and test all of notreal.com’s systems for these holes. One major vendor estimated that many security patches are reverse-engineered within a day of release—sometimes within hours.

Some Unix problems are re-opened in new releases, or are never really closed. Hackers build up a catalog of problems and try them on new platforms, products, and releases. Has there ever been a new Unix OS release that didn’t have at least one set-uid root script?

The hacker has gathered quite a bit of information on the remote systems in notreal.com’s domain. At this point, a hacker should be able to identify some weaknesses—a system that offers unrestricted NFS exports or X Windows server access, for example.

Match Vulnerabilities with Opportunities

After building up a database of existing and past security holes, and then building up a database of a target organization’s systems and configurations, the hacker can now try to cross-correlate opportunities and take advantage of them.

As an example, any weaknesses in sendmail, due to old versions or configuration mistakes, might permit the sending of the /etc/passwd file. A copy of the real passwd file could be in the anonymous FTP ~ftp/etc directory. An accessible X Windows system can allow a hacker to take control of the target. An NIS server or client can offer access to system maps. An NFS server can offer access to file systems. The presence of a tftpd, and the knowledge of the file system for the system type, might permit the uploading of a corrupt configuration or boot file onto the boot server. The tftpd might permit the downloading of files from any directory. The ftpd might allow an intruder to put an .rhosts into the ~ftp directory. A new system might not have passwords for all accounts.