Scanners

Full-featured Unix systems offer a bewildering array of services, only a few of which are understood and used by typical users. Many of these are spawned by the inetd daemon, and are listed in /etc/inetd.conf. Others (httpd, smbd) are started by boot scripts, while yet others are controlled by the portmapper (NFS).

In order to discover what services a particular host offers, standard Unix tools (showmount, rpcinfo) may be used, or a scanner program may systematically try all TCP or UDP ports and try to elicit a response. In this way "unlisted" unprivileged services, such as non-standard HTTP servers, may be discovered by an intruder, in addition to standard services. Scanners may scan one host for a number of services, or many hosts (an entire domain or subnet) for a particular service. If an intruder has an exploit for a particular service and machine architecture, they may scan a large number of hosts fairly quickly in search of a vulnerable system. The well-publicized security program Satan uses a scanning approach to locating system vulnerabilities.

It is thus important to quickly close reported holes in Internet daemons, or to disable unnecessary services. In 1997, for example, a number of Linux systems were shipped with vulnerable IMAP and SMB daemons, and scanners were written to search for these. In 1998, a hole was found in the named daemon, and again an exploit was written for it.

Up to Security Page

A.Daviel