This check attempts to contact the finger daemon on the target-host and retrieve a list of logged in users.

1002 Finger 0@host check

This check attempts to gather user information by fingering 0@target-host.

1003 Finger Redirection Check

A frequently overlooked aspect of the "finger" information system is that many implementations support forwarding of queries, allowing a finger client to request a finger server to ask another finger server for information. This can be used to hide information-gathering attacks by obscuring the source of the attack, or to obtain access to finger servers that are protected by selective network access control. This check attempts to bounce a remote finger request through the target-host finger daemon. An attempt is made to resolve a finger query that looks like this:

user@some-remote-host@target-host

1004 Finger .@target-host check

Some implementations of the "finger" information server support a little-known feature triggered by requests for the user. In response to this query, these servers will provide a finger client with information about users who have never logged in. These users frequently have easily guessed "default" passwords. This check attempts to gather user information by fingering .@target-host.

1005 "rusers" service check

The "rusers" ONC RPC service, much like finger, provides information about users currently logged into a Unix system. This information can be used by an attacker to obtain lists of usernames to attempt brute-force password guessing attacks against, and to discover the usage patterns of the system.

This check attempts to retrieve information from the rusers service on the target-host.

NOTE: This check will only return a listing of users in the module output on rusers version 2.

1006 Telnet service banner present

The telnet service banner module obtains and displays the telnet banner which is obtained from the target host when connecting to the telnet service.

1007 SMTP banner check

This check collects the message displayed upon connection to the SMTP port of the target host.

1008 FTP banner check

The FTP banner check attempts to gather banner information from the ftp daemon.

1009 Anonymous FTP check

This check attempts to discern whether CyberCop Scanner can access an FTP server as an anonymous FTP user.

1010 "rstatd" check

"rstatd" is an ONC RPC service that provides information about the status of a system (including uptime and usage statistics) to the public. In addition to disclosing sensitive information about the configuration and capabilities of a server, "rstatd" can also provide information that is used by some programs to generate random numbers, and can thus be used as a tool to compromise other servers on a system. This module attempts to poll information from rstatd.

1011 "X.25" gateway RPC service present

The target host was found to be running the X.25 RPC gateway service. This is indicative of the target host acting as a gateway to an X.25 packet switched network.

1012 "bootparamd" RPC service present

This check identifies the presence of rpc.bootparamd. If it is present the process will then attempt to coax the NIS domain name from the server.

1013 Gopher daemon check

This check attempts to discover if a gopher daemon is running on the target host.

1014 IRC server present

This particular check discerns whether the IRC service is present on the target host.

1016 Netstat check

Some operating systems are distributed with an Internet gateway to the "netstat" command enabled in their inetd configuration. These configurations allow arbitrary entities on the Internet to obtain the output of the ""netstat"" command on these machines. This information can be sensitive.

This check attempts to poll netstat information from a target host.

1017 Systat check

"The "systat" command provides information about the current utilization of resources on a Unix system. Some operating systems are distributed with an Internet gateway to the ""systat"" command, allowing arbitrary entities on the Internet to gather information from the ""systat"" command on remote machines. The information available from systat allows an attacker to infer the configuration of the machine, and is thus sensitive.

This check attempts to poll systat information from the target-host.

1018 FSP daemon check

This check discerns whether a host is running an FSP daemon.

1019 SSH information obtained

The scanner attempts to poll information from your SSH daemon about it's configuration. The information which can be gathered remotely from an SSH daemon includes:

• SSH Version
• Host key size
• Public key size
• Authentication methods in use
• Encryption methods in use

This module checks to see if a mailer daemon supports extended SMTP commands via ehlo.

1023 Identd username gathering

This check scans a host running ident and returns the UIDs of network daemons running on the target-host.

1024 Routing table retrieved

The routing table has been retrieved from the target host's routing daemon. This service utilizes RIP (Routing Information Protocol) to maintain an updated list of routes and routing information for the host it is running on.

1026 rpc.rquotad check

The check attempts to poll rpc.rquotad on the target-host for user quota information.

1028 rpc.sprayd check

The rpc.sprayd service is offered to administrators to determine traffic statistics on a network. An administrator can send the service a stream of packets, and is presented with statistics on the number of packets which have been received.

1032 ICMP timestamp obtained

The system time was obtained from the target host utilizing a capability present within the ICMP protocol. The ICMP protocol provides an operation to query a remote host for the current system time.

1033 ICMP netmask obtained

The netmask was obtained from the target host utilizing a capability present within the ICMP protocol. The ICMP protocol provides an operation to query a remote host for the network netmask.

1034 "rpcbind" RPC service present on high numbered port

This check attempts to determine whether the target host is running a version of rpcbind which listens on a high numbered UDP port above 32770 in addition to the standard port 111. This has been known to occur on the Solaris operating system.

1035 Finger search.**@host check

This check attempts to finger search.**@target-host and monitors output to discern if usernames are returned.

1036 WWW Web Server Version

"This module returns the version of WWW server running on the remote host, if it is available.

1037 "portmapper" or "rpcbind" RPC service present

The portmapper service was found running on the target host. Since RPC services do not run on well known ports this service is used to map RPC services to the dynamic port numbers that they currently reside on. RPC client programs use this service when they make a connection to a remote RPC server.

1038 S/Key Banner Check

This check will determine if the S/Key one-time password authentication system is installed on the target machine.

1039 Ascend Configurator Identification Check

Ascend Access Servers and Routers speak a protocol over the UDP "discard" port that allows the Ascend Java "Configurator" tool to locate Ascend equipment on a network automatically. An Ascend router will respond to any network user that sends a well-formed Configurator packet with a response that includes the symbolic name of the router.

Attackers can use this to pick out Ascend equipment from a network (Ascend routers may be a specific target of attack, or may indicate further network connections), and to obtain the names of these routers (which may provide information on which to base password guesses).

1040 Network Time Protocol server present

An NTP server was found to be present on the target host. Many Network Time Protocol servers offer detailed information on their setup, including systems which they peer with, system memory configuration, and time statistics. This module obtains information from the remote NTP server using the NTP version 3 protocol and lists the information which can be obtained from the server. Information which can be obtained via NTP includes the following:

• System time statistics (uptime)
• System IO statistics
• System memory statistics
• Time daemon peer listing

This module traces the route to the host being scanned in the same manner as the traceroute program in UNIX or the tracert program in Windows NT. The route information is stored to the network map file as well as being returned by the module. The network mapper uses this information to build a map of the network.