|
|
| Previous | Table of Contents | Next |
SATAN is primarily intended for remote scanning of systems connected to the Internet. The vast majority of such systems are firewall systems, rather than just standard Unix workstations.
A firewall system is one that connects an internal network to the Internet. Every organization should connect to the web only through carefully maintained firewall systems. By reducing the number of systems directly on the Internet to a limited number that are under the scrutiny of administrators, the level of vulnerability can be minimized. Each of these firewalls should prevent vulnerable services, such as NFS, NIS, or fingerd, from being offered to Internet sites. The DNS configuration on the firewall system should minimize the amount of information available to external users. In general, firewalls should minimize the amount of “information leakage” from the internal network to external sites.
Modifying a company network to use firewalls is a complex task that requires time and consideration. TIS offers a public domain firewall that includes S/Key support. CERT has a paper on packet filtering that can assist you in configuring a firewall. You can subscribe to a firewalls mailing list by sending a message that includes “subscribe firewalls” in the subject message body to majordomo@greatcircle.com. The bibliography lists several references on the topic. Other papers on the topic are available via the COAST and CERT archives.
One impact on users of implementing a firewall is access to the external Internet. Some firewalls permit Telnet or FTP connections to cross the firewall by requiring an additional password for the firewall; some use S/Key; and some use SecurID smart cards. Other firewalls use socks proxy servers that require the client services to be modified.
The importance of properly configuring a firewall, applying patches in a timely manner, and limiting the amount of services available to Internet users cannot be overestimated. If SATAN is used by a hacker against your organization, SATAN will be used to scan the firewall systems.
The addresses follow:
Note: For more information on firewalls, see Chapter 6, “How to Build a Firewall,” and Chapter 7, “How to Buy a Firewall.”
socks
socks is an IP encapsulation technique that permits TCP connections to use a proxy server to complete a connection. It permits users to conveniently use Internet services across a gateway without being aware that a gateway is being crossed. Socksd is frequently used to turn a Unix workstation that has a Internet connection as well as an internal company network connection into a firewall system. As a result, SATAN’s scan of target firewall systems will frequently indicate the presence of a socksd. While no vulnerabilities are currently known to exist in socksd, if properly configured, SATAN’s discovery of socksd can indicate that the system is not just a host connected to the Internet, but a firewall.
Normally, a telnet from host A to host B does a connect() directly between the two IP addresses using the standard transport routing tables. When telnet is “socksified,” telnet first checks whether the destination host B address is directly accessible. If it is, it follows that standard connection process. If it is not, it references two environment variables, SOCKS_NS and SOCKS_SERVER, to help it first resolve the domain name into an IP address, and then to identify the IP address of the server running the socksd proxy server. It then encapsulates the TCP packets according to the socks protocol and sends them to the socks server, which runs on a gateway system and has direct connectivity to the destination system. The socks server opens up a connection and begins to act as an intermediate hop in the connection.
If your firewall configuration supports a socks server, you must have socksified clients to take advantage of this service. (An HP-UX–specific socks includes a socksify program that enables you to convert binary versions of network programs.)
The addresses follow:
“Now we must turn aside a little from our path, in the direction of the malignant beast that lies in wait.”
—Dante Alighieri, Inferno, Canto XVII, lines 27–29
This section describes the exact details of the network holes uncovered by SATAN, as well as holes that are common.
SATAN scans the target system for active listeners on various UDP and TCP ports. The number of ports scanned depends on the type of scanned specified: light, normal, or heavy.
Light Scans
The light scan does not do a generic UDP or TCP scan; it starts with the following three scans: dns, rpc portmap, and if the portmapper shows mountd services, a showmount scan.
The dns scan uses nslookup to gather as much information as possible about the target host, including MX records and authoritative name servers for that host.
The rpc scan asks the target portmap for a list of services. It then scans this list, looking for the following services: rexd, arm, bootparam, ypserv, ypbind, selection_svc, nfs, mountd, rusersd, netinfobind, and admind.
If mountd is present, SATAN runs showmount scan. The showmount scan first asks the target mountd to list what file systems are exported and what hosts are permitted to mount them (via the showmount -e command). The scan then asks the target mountd to list what hosts actually mount file systems, and to list those mounted file systems (via the showmount -a command).
| Previous | Table of Contents | Next |