1000: Information Gathering and Recon
|
1001 Finger access control check
|
This check attempts to contact the finger daemon on the target-host and
retrieve a list of logged in users.
This check attempts to gather user information by fingering 0@target-host.
1003 Finger Redirection Check
|
A frequently overlooked aspect of the "finger" information system is that
many implementations support forwarding of queries, allowing a finger
client to request a finger server to ask another finger server for
information. This can be used to hide information-gathering attacks by
obscuring the source of the attack, or to obtain access to finger servers
that are protected by selective network access control.
This check attempts to bounce a remote finger request through the
target-host finger daemon. An attempt is made to resolve a finger query
that looks like this:
user@some-remote-host@target-host
1004 Finger .@target-host check
|
Some implementations of the "finger" information server support a
little-known feature triggered by requests for the user. In response
to this query, these servers will provide a finger client with information
about users who have never logged in. These users frequently have easily
guessed "default" passwords.
This check attempts to gather user information by fingering .@target-host.
1005 "rusers" service check
|
The "rusers" ONC RPC service, much like finger, provides information
about users currently logged into a Unix system. This information can be
used by an attacker to obtain lists of usernames to attempt brute-force
password guessing attacks against, and to discover the usage patterns of
the system.
This check attempts to retrieve information from the rusers service on the
target-host.
NOTE: This check will only return a listing of users in the module output
on rusers version 2.
1006 Telnet service banner present
|
The telnet service banner module obtains and displays the telnet banner
which is obtained from the target host when connecting to the telnet
service.
This check collects the message displayed upon connection to the SMTP port
of the target host.
The FTP banner check attempts to gather banner information from the ftp
daemon.
This check attempts to discern whether CyberCop Scanner can access an FTP
server as an anonymous FTP user.
"rstatd" is an ONC RPC service that provides information about the status
of a system (including uptime and usage statistics) to the public. In
addition to disclosing sensitive information about the configuration and
capabilities of a server, "rstatd" can also provide information that is
used by some programs to generate random numbers, and can thus be used as
a tool to compromise other servers on a system.
This module attempts to poll information from rstatd.
1011 "X.25" gateway RPC service present
|
The target host was found to be running the X.25 RPC gateway service.
This is indicative of the target host acting as a gateway to an X.25
packet switched network.
1012 "bootparamd" RPC service present
|
This check identifies the presence of rpc.bootparamd. If it is present
the process will then attempt to coax the NIS domain name from the server.
This check attempts to discover if a gopher daemon is running on the
target host.
This particular check discerns whether the IRC service is present on
the target host.
Some operating systems are distributed with an Internet gateway to the
"netstat" command enabled in their inetd configuration. These
configurations allow arbitrary entities on the Internet to obtain the
output of the ""netstat"" command on these machines. This information can be
sensitive.
This check attempts to poll netstat information from a target host.
"The "systat" command provides information about the current utilization of
resources on a Unix system. Some operating systems are distributed with an
Internet gateway to the ""systat"" command, allowing arbitrary entities on
the Internet to gather information from the ""systat"" command on remote
machines. The information available from systat allows an attacker to
infer the configuration of the machine, and is thus sensitive.
This check attempts to poll systat information from the target-host.
This check discerns whether a host is running an FSP daemon.
1019 SSH information obtained
|
The scanner attempts to poll information from your SSH daemon about it's
configuration. The information which can be gathered remotely from an
SSH daemon includes:
- SSH Version
- Host key size
- Public key size
- Authentication methods in use
- Encryption methods in use
This module checks to see if a mailer daemon supports extended SMTP commands
via ehlo.
1023 Identd username gathering
|
This check scans a host running ident and returns the UIDs of network daemons
running on the target-host.
1024 Routing table retrieved
|
The routing table has been retrieved from the target host's routing
daemon. This service utilizes RIP (Routing Information Protocol) to
maintain an updated list of routes and routing information for the
host it is running on.
The check attempts to poll rpc.rquotad on the target-host for user quota
information.
The rpc.sprayd service is offered to administrators to determine traffic
statistics on a network. An administrator can send the service a stream
of packets, and is presented with statistics on the number of packets which
have been received.
1032 ICMP timestamp obtained
|
The system time was obtained from the target host utilizing a
capability present within the ICMP protocol. The ICMP protocol
provides an operation to query a remote host for the current
system time.
1033 ICMP netmask obtained
|
The netmask was obtained from the target host utilizing a capability
present within the ICMP protocol. The ICMP protocol provides an
operation to query a remote host for the network netmask.
1034 "rpcbind" RPC service present on high numbered port
|
This check attempts to determine whether the target host is running a
version of rpcbind which listens on a high numbered UDP port above 32770
in addition to the standard port 111. This has been known to occur on
the Solaris operating system.
1035 Finger search.**@host check
|
This check attempts to finger search.**@target-host and monitors output
to discern if usernames are returned.
1036 WWW Web Server Version
|
"This module returns the version of WWW server running on the remote
host, if it is available.
1037 "portmapper" or "rpcbind" RPC service present
|
The portmapper service was found running on the target host. Since RPC
services do not run on well known ports this service is used to map RPC
services to the dynamic port numbers that they currently reside on. RPC
client programs use this service when they make a connection to a remote
RPC server.
This check will determine if the S/Key one-time password authentication
system is installed on the target machine.
1039 Ascend Configurator Identification Check
|
Ascend Access Servers and Routers speak a protocol over the UDP
"discard" port that allows the Ascend Java "Configurator" tool to
locate Ascend equipment on a network automatically. An Ascend
router will respond to any network user that sends a well-formed
Configurator packet with a response that includes the symbolic
name of the router.
Attackers can use this to pick out Ascend equipment from a network
(Ascend routers may be a specific target of attack, or may indicate
further network connections), and to obtain the names of these
routers (which may provide information on which to base password
guesses).
1040 Network Time Protocol server present
|
An NTP server was found to be present on the target host. Many Network
Time Protocol servers offer detailed information on their setup,
including systems which they peer with, system memory configuration,
and time statistics. This module obtains information from the remote
NTP server using the NTP version 3 protocol and lists the information
which can be obtained from the server. Information which can be obtained
via NTP includes the following:
- System time statistics (uptime)
- System IO statistics
- System memory statistics
- Time daemon peer listing
This module traces the route to the host being scanned in the same
manner as the traceroute program in UNIX or the tracert program in
Windows NT. The route information is stored to the network map file
as well as being returned by the module. The network mapper uses this
information to build a map of the network.
|