Sign In Sign-Up

Welcome!

Close

Would you like to make this site your homepage? It's fast and easy...

Yes, Please make this my home page!

No Thanks

  Don't show this to me again.

Close

Scanners

 In Internet security, no hacking tool is more celebrated than the scanner. It is said that a good TCP port scanner is worth a thousand user passwords.

 What Is a Scanner?

 A scanner is a program that automatically detects security weaknesses in a remote or local host. By deploying a scanner, a user in Los Angeles can uncover security weaknesses on a server in Japan without ever leaving his or her living room.

 How Do Scanners Work?

 True scanners are TCP port scanners, which are programs that attack TCP/IP ports and services (Telnet or FTP, for example) and record the response from the target. In this way, they gather valuable information about the target host (for instance, can an anonymous user log in?).

 Other so-called scanners are merely UNIX network utilities. These are commonly used to discern whether certain services are working correctly on a remote machine. These are not true scanners, but might also be used to collect information about a target host. (Good examples of such utilities are the rusers and host commands, common to UNIX platforms.)

 On What Platforms Are Scanners Available?

 Although they are commonly written for execution on UNIX workstations, scanners are now written for use on almost any operating system. Non-UNIX scanning tools are becoming more popular now that the rest of the world has turned to the Internet. There is a special push into the Microsoft Windows market, because windows is now becoming more popular as an Internet server platform.

 Is It Difficult to Create a Scanner?

 No. However, it will require strong knowledge of TCP/IP routines and probably C, Perl, and/or one or more shell languages. Developing a scanner is an ambitious project that would likely bring the programmer much satisfaction. Even so, there are many scanners available (both free and commercial), making scanners a poor choice as a for-profit project.

 It is also necessary to have some background in socket programming, a method used in the development of client/server applications.

 What Will a Scanner Tell

 A scanner might reveal certain inherent weaknesses within the target host. These might be key factors in implementing an actual compromise of the target's security. In order to reap this benefit, however, you must know how to recognize the hole. Most scanners do not come with extensive manuals or instructions. Interpretation of data is very important.

 What Won't a Scanner Tell?

 A Scanner won’t tell the following

Ø      A step-by-step method of breaking in.

Ø      The degree to which all the activities are being logged.

 Are Scanners Legal?

 Yes. Scanners are most often designed, written, and distributed by security personnel and developers. These tools are usually given away, via public domain, so that system administrator can check their own systems for weaknesses. However, although scanners are not illegal to possess or use, employing one if the user is not a system administrator would it could create opposition from the target host's administrator. Moreover, certain scanners are so intrusive in their probing of remote services that the unauthorized use of them may violate federal or state statutes regarding unauthorized entry of computer networks.

 Why Are Scanners Important to Internet Security?

 Scanners are important to Internet security because they reveal weaknesses in the network. Whether hackers or crackers use this information is immaterial. If used by system administrators, scanners help strengthen security in the immediate sense. If employed by crackers, scanners also help strengthen security. This is because once a hole has been exploited, that exploitation will ultimately be discovered. Some system administrators argue that scanners work against Internet security when in the hands of crackers. This is not true. If a system administrator fails to adequately secure his or her network (by running a scanner against it), his or her negligence will come to light in the form of a network security breach.

 The Attributes of a Scanner

 The primary attributes of a scanner are

Ø      The capability to find a machine or network

Ø      The capability, once having found a machine, to find out what services are being run on the host

Ø      The capability to test those services for known holes

 This process is not incredibly complex. At its most basic, it involves capturing the messages generated when one tries to connect to a particular service. To illustrate the process step by step, let's address these attributes one at a time.

 Locating a Potential Target

 The Internet is vast. There are literally millions of potential targets in the void. The problem facing modern crackers is how to find those targets quickly and effectively. Scanners are well suited for this purpose. To demonstrate how a scanner can find a potential target, determine what services it is running, and probe for weaknesses, let's pick on Silicon Graphics (SGI) for the remainder of this section. Here, you will see how scanners are regularly employed to automate human cracking tasks.

 Sometimes it happens that the scanners try to identify the various logins without any password for the entering the site. Therefore, the system administrator should know about all these default logins without any password and try to make it in such a way that the intruders don’t try to attack the system.

 This problem can be quickly rectified by checking the password file located in the /etc/passwd (UNIX) and inserting the asterisk between the first and the second fields so that the login gets locked.

Thus the leading portion would look like this:

adm:*:3:4:adm:/var/adm:

Instead of like this:

adm::3:4:adm:/var/adm:

Basic idea behind this is to create a locked login. If the system administrator fails to do so, the problem will remain there itself.

Various scanners available on the net

The scanners, which are available on the net, help the system administrator in analyzing the various vulnerabilities, which will help him to explore and find out any loopholes in the current system before it becomes a target for the crackers.

Finding the operating system

There are many ways in which a operating system can be found out. All dotcoms display this information when the intruder used a simple telnet session. A website http://uptime.netcraft.com also display the operating system. If the operating system is know than the crackers can surely plan of entering the network in a predefined way.

This problem can be rectified by various methods.

Ø      Running a firewall

Ø      Restricting queries of name servers to a particular set of address.

Ø      Writing a code so that the websites operating system is not display. (best example would be of http://www.yahoo.com  which restricts from displaying the operating system on which it is run.

Ø      By completely disallowing outside access to your name servers.

On Windows

Trace route

This utility can be used to identify the machine. Suppose if any cracker tries to enter the network and if his IP address is logged. The command tracert can be used in order to identify the machine. The second to last entry is generally the network from which the activity originated.  

Finger command

Finger command can be used in order to get the individual users on the network.

There are many network analysis tools available on the net. Some of these are straight ports from UNIX commands, and others are programs built from the ground up. In both cases, the majority of these tools are shareware or freeware. You can use these tools to learn much about networking.

NetScan Tools

 The NetScan Tools suite contains a series of UNIX utilities ported to Windows. Its development team claims that by utilizing ping, network administrators can identity-unauthorized machines utilizing IP addresses on their subnets. The program also contains ports of WHOIS, finger, ping, and Traceroute. The Netscan Tools suite is shareware and is available at http://www.eskimo.com/~nwps/index.html.

Network Toolbox

Network Toolbox is very similar to the Netscan Tools suite. It consists of a port of nine separate UNIX utilities. This utility has an interesting feature called IP Address Search, which allows the user to search for machines within a given range of IP addresses. Otherwise, it has the usual fare: finger, DNS, WHOIS, and so on. One special amenity of this suite is that it is exceedingly fast. This utility is discussed in greater detail later in this chapter. Network Toolbox is available at http://www.jriver.com/netbox.html.

TCP/IP Surveyor

This tool is quite impressive; not only does it gather information about networks and reachable machines, it formats it into a graphical representation that maps routers, workstations, and servers. TCP/IP Surveyor is shareware and can be found at ftp://wuarchive.wustl.edu/systems/ibmpc/win95/netutil/wssrv32n.zip.

Nmap ("Network Mapper")

Nmap is an open source utility for network exploration or security auditing. It was designed to rapidly scan large networks, although it works fine against singles hosts. Nmap uses raw IP packets in novel ways to determine what hosts are available on the network, what services (ports) they are offering, what operating system (and OS version) they are running, what type of packet filters/firewalls are in use, and dozens of other characteristics. Nmap runs on most types of computers, and both console and graphical versions are available. Nmap is free software, available with full source code under the terms of the GPL (General Public License). Nmap can be found online at http://www.insecure.org/nmap_download.html

On Macintosh

There has been a sharp increase in development of network analysis tools on the Macintosh platform. Many of these applications are first rate and, in traditional Mac platform style, are extremely easy to use.

MacTCP Watcher

This utility provides ping, DNS lookups, and general monitoring of connections initiated by protocols within the TCP/IP suite. As of version 1.12, this utility has been designated freeware. It can be found at http://www.share.com/share/peterlewis/mtcpw/.

Query It!

Query It! is a solid utility that performs basic nslookup inquiries. It generates information that is very similar to that generated using the host command. Query It! at http://www.cyberatl.net/~mphillip/index.html#Query It!.

On Unix/Linux

Jakal

Jakal is a stealth scanner. That is, it will scan a domain (behind a firewall) without leaving any trace of the scan. According to its authors, all alpha test sites were unable to log any activity (although it is reported in the documentation from the authors that "Some firewalls did allow SYN|FIN to pass through").

Stealth scanners are a new phenomenon, their incidence raising no doubt with the incidence of firewalls on the Net. It's a relatively new area of expertise. So if you test Jakal and find that a few logs appear, don't be unforgiving.

Stealth scanners work by conducting half scans, which start (but never complete) the entire SYN|ACK transaction with the target host. Basically, stealth scans bypass the firewall and evade port-scanning detectors, thus identifying what services are running behind that firewall. (This includes rather elaborate scan detectors such as Courtney and Gabriel. Most of these detection systems respond only to fully established connections.)

Obtain a copy of Jakal, written by Halflife, Jeff (Phiji) Fay, and Abdullah Marafie at http://www.giga.or.at/pub/hacker/unix.

IdentTCPscan

IdentTCPscan is a more specialized scanner. It has the added functionality of picking out the owner of a given TCP port process. That is, it determines the UID of the process. For example, running IdentTCPscan against any machine may produced the following output:

Port:   7    Service:        (?)    Userid:  root

Port:   9    Service:        (?)    Userid:  root

Port:  11    Service:        (?)    Userid:  root

Port:  13    Service:        (?)    Userid:  root

Port:  15    Service:        (?)    Userid:  root

Port:  19    Service:        (?)    Userid:  root

Port:  21    Service:        (?)    Userid:  root

Port:  23    Service:        (?)    Userid:  root

Port:  25    Service:        (?)    Userid:  root

Port:  37    Service:        (?)    Userid:  root

Port:  79    Service:        (?)    Userid:  root

Port:  80    Service:        (?)    Userid:  root

Port: 110    Service:        (?)    Userid:  root

Port: 111    Service:        (?)    Userid:  root

Port: 113    Service:        (?)    Userid:  root

Port: 119    Service:        (?)    Userid:  root

Port: 139    Service:        (?)    Userid:  root

Port: 513    Service:        (?)    Userid:  root

Port: 514    Service:        (?)    Userid:  root

Port: 515    Service:        (?)    Userid:  root

Port: 540    Service:        (?)    Userid:  root

Port: 672    Service:        (?)    Userid:  root

Port: 2049    Service:        (?)    Userid:  root

Port: 6000    Service:        (?)    Userid:  root

This utility has a very important function. By finding the UID of the process, misconfigurations can be quickly identified. For example, examine this output. Seasoned security professionals will know that line 12 of the scan shows a serious misconfiguration. Port 80 is running a service as root. It happens that it is running HTTPD. This is a security problem because any attacker who exploits weaknesses in your CGI can run his or her processes as root as well. IdentTCPscan is extremely fast and as such, it is a powerful and incisive tool (a favorite of crackers). The utility works equally well on a variety of platforms, including Linux, BSDI, and SunOS. It generally comes as a compressed file containing the source code. It is written in C and is very compact. It also requires minimal network resources to run. It will build without event using most any C compiler. Obtain a copy of IdentTCPscan, written by David Goldsmith http://www.giga.or.at/pub/hacker/unix.

CONNECT

CONNECT is a bin/sh script. Its purpose is to scan subnets for TFTP servers. This scanner scans trailing IP addresses recursively. For this reason, it is necessary to send the process into the background this scanner is of relatively little importance because TFTP is a lame protocol. There isn't much to gain. (Although, if the system administration at that location is negligent, cracker might be able to obtain the /etc/passwd file. These days, the odds of finding both an open TFTP server and a non-shadowed passwd file on the same machine are practically nil.) The documentation of CONNECT is written by Joe Hentzel; according to Hentzel, the script's author is anonymous. Copy can be found at http://www.giga.or.at/pub/hacker/unix/.

 FSPScan

FSPScan scans for FSP servers. FSP stands for File Service Protocol, an Internet protocol much like FTP. It provides for anonymous file transfers and reportedly has protection against network overloading (for example, FSP never forks). Perhaps the most security-aware feature of FSP is that it logs the incoming user's hostname. This is considered superior to FTP, which requests the user's e-mail address (which, in effect, is no logging at all). FSP was popular enough, now sporting GUI clients for Windows and OS/2.

What's extraordinary about FSPScan is that it was written by one of the co-authors of FSP! Copy of FSPScan, written by Wen-King Su is at http://www.giga.or.at/pub/hacker/unix.

XSCAN

XSCAN scans a subnet (or host) for X server vulnerabilities. At first glance, this doesn't seem particularly important. After all, most other scanners do the same. However, XSCAN includes an additional functionality: If it locates a vulnerable target, it immediately starts logging the keystrokes at that terminal.

Other amenities of XSCAN include the capability to scan multiple hosts in the same scan. These can be entered on the command line as arguments. Copy of XSCAN is at http://www.giga.or.at/pub/hacker/unix.

Internet security is a constantly changing field. As new holes are discovered, they are posted to various mailing lists, alert rosters, and newsgroups. Most commonly, such alerts end up at CERT or CIAC. Crackers and hackers alike belong to such mailing lists and often read CERT advisories. Thus, these new holes become common knowledge often minutes or hours after they are posted.

As each new hole is uncovered, capabilities to check for the new hole are added to existing scanners. The process is not particularly complex. In most cases, the cracker need only write a small amount of additional code, which is then pasted into the existing source code of his or her scanner. The scanner is then recompiled.  The cracker is ready to exploit a new hole on a wide scale. This is a never-ending process.

System administrators must learn about and implement scanners. It is a fact of life. Those who fail to do so will suffer the consequences, which can be very grave. Scanners can educate new system administrators as to potential security risks. If for no other reason than this, scanners are an important element of Internet security. Therefore, it is necessary that  system administrators test out as many scanners as possible in order to improve security.