ch09.htm

来自「Maximum Security (First Edition) 网络安全 英文」· HTM 代码 · 共 1,272 行 · 第 1/5 页

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>

<HEAD>
	
	<TITLE>Maximum Security -- Ch 9 -- Scanners</TITLE>
</HEAD>

<BODY TEXT="#000000" BGCOLOR="#FFFFFF">

<CENTER>
<H1><IMG SRC="../button/samsnet.gif" WIDTH="171" HEIGHT="66" ALIGN="BOTTOM" BORDER="0"><BR>
<FONT COLOR="#000077">Maximum Security: </FONT></H1>
</CENTER>
<CENTER>
<H2><FONT COLOR="#000077">A Hacker's Guide to Protecting Your Internet Site and Network</FONT></H2>
</CENTER>
<CENTER>
<P><A HREF="../ch08/ch08.htm"><IMG SRC="../button/previous.gif" WIDTH="128" HEIGHT="28"
ALIGN="BOTTOM" ALT="Previous chapter" BORDER="0"></A><A HREF="../ch10/ch10.htm"><IMG
SRC="../button/next.gif" WIDTH="128" HEIGHT="28" ALIGN="BOTTOM" ALT="Next chapter"
BORDER="0"></A><A HREF="../index.htm"><IMG SRC="../button/contents.gif" WIDTH="128"
HEIGHT="28" ALIGN="BOTTOM" ALT="Contents" BORDER="0"></A> 
<HR>

</CENTER>
<CENTER>
<H1><FONT COLOR="#000077">9</FONT></H1>
</CENTER>
<CENTER>
<H1><FONT COLOR="#000077">Scanners</FONT></H1>
</CENTER>
<P>In this chapter, I examine scanners. The structure of this chapter is straightforward
and very similar to previous chapters. It begins by answering some basic questions,
including</P>

<UL>
	<LI>What is a scanner?<BR>
	<BR>
	
	<LI>What does a scanner do?<BR>
	<BR>
	
	<LI>On what platforms are scanners available?<BR>
	<BR>
	
	<LI>What system requirements are involved to run a scanner?<BR>
	<BR>
	
	<LI>Is it difficult to create a scanner?<BR>
	<BR>
	
	<LI>What will a scanner tell me?<BR>
	<BR>
	
	<LI>What won't a scanner tell me?<BR>
	<BR>
	
	<LI>Are scanners legal?<BR>
	<BR>
	
	<LI>Why are scanners important to Internet security?
</UL>

<P>After answering these questions, I will examine the historical background of scanners.</P>
<P>From there, I cover the scanner from a more practical viewpoint. I will differentiate
between true scanners are other diagnostic network tools. I will examine different
types of scanners, especially very popular ones (such as SATAN and Strobe). At that
point, you will gain understanding of what constitutes a scan and what ingredients
are necessary to create a scanner.</P>
<P>Finally, you will conduct a scan and analyze what information has been gained
from it. In this way, you will derive an inside look at scanner functionality. By
the end of this chapter, you will know what a scanner is, how to deploy one, and
how to interpret the results from a scan. In short, I will prepare you for actual,
network combat using scanners.
<H2><FONT COLOR="#000077"><B>Scanners</B></FONT></H2>
<P>In Internet security, no hacking tool is more celebrated than the scanner. It
is said that a good TCP port scanner is worth a thousand user passwords. Before I
treat the subject of scanners in depth, I want to familiarize you with scanners.
<H3><FONT COLOR="#000077"><B>What Is a Scanner?</B></FONT></H3>
<P>A <I>scanner</I> is a program that automatically detects security weaknesses in
a remote or local host. By deploying a scanner, a user in Los Angeles can uncover
security weaknesses on a server in Japan without ever leaving his or her living room.
<H3><FONT COLOR="#000077"><B>How Do Scanners Work?</B></FONT></H3>
<P>True scanners are TCP port scanners, which are programs that attack TCP/IP ports
and services (Telnet or FTP, for example) and record the response from the target.
In this way, they glean valuable information about the target host (for instance,
can an anonymous user log in?).</P>
<P>Other so-called scanners are merely UNIX network utilities. These are commonly
used to discern whether certain services are working correctly on a remote machine.
These are not true scanners, but might also be used to collect information about
a target host. (Good examples of such utilities are the rusers and host commands,
common to UNIX platforms.) Such utilities are discussed later in this chapter.


<BLOCKQUOTE>
	<P>
<HR>
<FONT COLOR="#000077"><B>Cross Reference:</B></FONT><TT> rusers</TT> gathers information
	about users currently logged to the targeted host and in this way, closely resembles
	the UNIX utility <TT>finger</TT>. <TT>host</TT> is also a UNIX utility, designed
	to interactively query name servers for all information held on the targeted host.
	
<HR>


</BLOCKQUOTE>

<H3><FONT COLOR="#000077"><B>On What Platforms Are Scanners Available?</B></FONT></H3>
<P>Although they are commonly written for execution on UNIX workstations, scanners
are now written for use on almost any operating system. Non-UNIX scanning tools are
becoming more popular now that the rest of the world has turned to the Internet.
There is a special push into the Microsoft Windows NT market, because NT is now becoming
more popular as an Internet server platform.
<H3><FONT COLOR="#000077"><B>What System Requirements Are Necessary to Run a Scanner?</B></FONT></H3>
<P>System requirements depend on the scanner, your operating system, and your connection
to the Internet. Certain scanners are written only for UNIX, making UNIX a system
requirement. There are, however, more general requirements of which to be aware:</P>

<UL>
	<LI>You might encounter problems if you are running an older Macintosh or IBM compatible
	with a slow Internet connection (as would be the case if you used Windows 3.11 running
	TCPMAN as a TCP/IP stack, via a 14.4 modem). These configurations might cause stack
	overflows or general protection faults, or they might simply cause your machine to
	hang. Generally, the faster your connection, the better off you are. (And naturally,
	a true 32-bit system contributes greatly to performance.)<BR>
	<BR>
	
	<LI>RAM is another issue, mainly relevant to window-system-based scanners. Command-line
	scanning utilities typically require little memory. Windowed scanners can require
	a lot. (For a comparison, I suggest running ISS. First, try the older, command-line
	version. Then run the new Xiss, which operates through MIT's X Window System, OpenWindows,
	or any compatible UNIX-based windowing system. The difference is very noticeable.)
</UL>

<P>Bottom line, you must have a compatible operating system, a modem (or other connection
to the Net), and some measure of patience. Not all scanners work identically on different
platforms. On some, this or that option might be disabled; on others, sometimes very
critical portions of the application might not work.
<H3><FONT COLOR="#000077"><B>Is It Difficult to Create a Scanner?</B></FONT></H3>
<P>No. However, you will require strong knowledge of TCP/IP routines and probably
C, Perl, and/or one or more shell languages. Developing a scanner is an ambitious
project that would likely bring the programmer much satisfaction. Even so, there
are many scanners available (both free and commercial), making scanners a poor choice
as a for-profit project.</P>
<P>You will also require some background in socket programming, a method used in
the development of client/server applications.


<BLOCKQUOTE>
	<P>
<HR>
<FONT COLOR="#000077"><B>Cross Reference:</B></FONT><B> </B>There are many resources
	online to help you get started; I list two here. The first is a bare-bones introduction
	to socket programming generated by Reg Quinton at The University of Western Ontario.
	It can be found at <A HREF="http://tecstar.cv.com/~dan/tec/primer/socket_programming.html"><B>http://tecstar.cv.com/~dan/tec/primer/socket_programming.html</B></A>.</P>
	<P>Another excellent source for information about socket programming is provided
	by Quarterdeck Office Systems as an online programming resource. It addresses all
	supported BSD 4.3 socket routines and is very comprehensive. It is located at <A
	HREF="http://149.17.36.24/prog/sockets.html"><B>http://149.17.36.24/prog/sockets.html</B></A>.
	
<HR>


</BLOCKQUOTE>

<H3><FONT COLOR="#000077"><B>What Will a Scanner Tell Me?</B></FONT></H3>
<P>A scanner might reveal certain inherent weaknesses within the target host. These
might be key factors in implementing an actual compromise of the target's security.
In order to reap this benefit, however, you must know how to recognize the hole.
Most scanners do not come with extensive manuals or instructions. Interpretation
of data is very important.
<H3><FONT COLOR="#000077"><B>What Won't a Scanner Tell Me?</B></FONT></H3>
<P>A scanner won't tell you the following:</P>

<UL>
	<LI>A step-by-step method of breaking in<BR>
	<BR>
	
	<LI>The degree to which your scanning activity has been logged
</UL>

<H3><FONT COLOR="#000077"><B>Are Scanners Legal?</B></FONT></H3>
<P>Yes. Scanners are most often designed, written, and distributed by security personnel
and developers. These tools are usually given away, via public domain, so that system
administrators can check their own systems for weaknesses. However, although scanners
are not illegal to possess or use, employing one if you are not a system administrator
would meet with brutal opposition from the target host's administrator. Moreover,
certain scanners are so intrusive in their probing of remote services that the unauthorized
use of them may violate federal or state statutes regarding unauthorized entry of
computer networks. This is a matter of some dispute and one not yet settled in law.
Therefore, be forewarned.


<BLOCKQUOTE>
	<P>
<HR>
<FONT COLOR="#000077"><B>WARNING:</B></FONT><B> </B>Do not take scanning activity
	lightly. If you intend to scan wide ranges of domains, check the laws in your state.
	Certain states have extremely particular legislation. The wording of such statutes
	is (more often than not) liberally construed in favor of the prosecution. For example,
	the state of Washington has provisions for <I>computer trespass</I>. (Wash. Rev.
	Code Sec. 9A.52 110-120.) If you deploy a scanner that attempts to steal the <TT>passwd</TT>
	file (a password file on the UNIX platform located in the directory <TT>/ETC</TT>),
	you might actually have committed an offense. I will discuss legal issues of hacking
	and cracking in Chapter 31, &quot;Reality Bytes: Computer Security and the Law.&quot;
	
<HR>


</BLOCKQUOTE>

<H3><FONT COLOR="#000077"><B>Why Are Scanners Important to Internet Security?</B></FONT></H3>
<P>Scanners are important to Internet security because they reveal weaknesses in
the network. Whether this information is used by hackers or crackers is immaterial.
If used by system administrators, scanners help strengthen security in the immediate
sense. If employed by crackers, scanners also help strengthen security. This is because
once a hole has been exploited, that exploitation will ultimately be discovered.
Some system administrators argue that scanners work against Internet security when
in the hands of crackers. This is not true. If a system administrator fails to adequately
secure his or her network (by running a scanner against it), his or her negligence
will come to light in the form of a network security breach.
<H2><FONT COLOR="#000077"><B>Historical Background</B></FONT></H2>
<P>Scanners are the most common utilities employed by today's cracker. There is no
mystery as to why: These programs, which automatically detect weaknesses within a
server's security structure, are fast, versatile, and accurate. More importantly,
they are freely available on the Internet. For these reasons, many sources insist
that the scanner is the most dangerous tool in the cracking suite.</P>
<P>To understand what scanners do and how they are employed, you must look to the
dawn of computer hacking. Transport yourself to the 1980s, before the personal computer
became a household item. The average machine had a 10MB hard disk drive and a whopping
640K memory. In fact, our more mature readers will remember a time when hard disk
drives did not exist. In those early days, work was done by rotating through a series
of 5&quot; floppy diskettes; one for the operating system, one for the current program,
and one to save your work.</P>
<P>Those early days are rather amusing in retrospect. Communications were conducted,
if at all, with modems ranging in speed from 300 to 1200bps. Incredibly, we got along
rather well with these meager tools.</P>
<P>The majority of users had never heard of the Internet. It existed, true, but was
populated primarily by military, research, and academic personnel. Its interface--if
we could call it that--was entirely command-line based. But these were not the only
limitations preventing America from flocking to the Net. Machines that could act
as servers were incredibly expensive. Consider that Sun Microsystems workstations
were selling for five and six figures. Today, those same workstations--which are
scarcely more powerful than a 25MHz 386--command less than $800 on Usenet.</P>
<P>We're talking frontier material here. Civilians with Internet access were generally
students with UUCP accounts. Dial-up was bare-bones, completely unlike today's more
robust SLIP, PPP, and ISDN access. In essence, the Internet was in its infancy, its
existence largely dependent on those early software authors concerned with developing
the system.</P>
<P>Security at that point was so lax that some readers will wonder why the Internet
was not completely overtaken by crackers. The answer is simple. Today, there are
massive online databases and mailing lists that broadcast weaknesses of a dozen different
operating systems. Table 9.1 lists a few examples.
<H4><FONT COLOR="#000077"><B>Table 9.1. Online mailing lists of security holes.</B></FONT></H4>