On Thu, Dec 17, 1998 at 12:05:52PM -0800, Lamont Granquist wrote:
> I'm not sure what you mean here. That's actually *not* a stealthy way to
> do it, since the portmap could be wrapped against libwrap.a (from
> tcp_wrappers) and queries from foreign hosts could be denied and logged.
> On the other hand, many RPC services themselves have no access control and
> very limited logging capabilities. I'd personally feel a whole lot
> stealthier in scanning a network from 600-1024 using stealth scan and then
> querying the service directly to figure out what it was. Tripwiring
> against that kind of a scan is more difficult, requiring either the
> sources to the RPC programs, some kind of kludgy hack like securelib, or
> a firewall with logging.
I guess the point I was tyring to bring across in the previous mail is that
there is no safe way to do an rpcinfo call on a remote machine without them
knowing about what you just did. Even if you used null commands you would
still have to create a handshake that will be detected by such daemons like
tcpdump etc. Now, if you could make portmap somehow respond without setting
it off, that would be nice. Then again its on the application layer.
dmess0r
Received on Dec 17 1998
Intro
