ch09.htm

来自「Maximum Security (First Edition) 网络安全 英文」· HTM 代码 · 共 1,272 行 · 第 1/5 页

	the white paper "TCP/IP Connectivity in an AS/400 Environment" by David
	Bernard. (News/400. February 1996.) It can be found at <A HREF="http://204.56.55.10/Education/WhitePapers/tcpip/tcpip.htm"><B>http://204.56.55.10/Education/WhitePapers/tcpip/tcpip.htm</B></A>.
	
<HR>


</BLOCKQUOTE>

<P>These utilities will always be available to users, even if scanners are not. Moreover,
because the Internet is now traveled by more and more new users, utilities to analyze
network connections will be commonplace on all platforms.
<H2><FONT COLOR="#000077"><B>The Scanners</B></FONT></H2>
<P>Having discussed various network analysis utilities, we can now move on to bona
fide scanners. Let's take a look at today's most popular scanners.
<H3><FONT COLOR="#000077"><B>NSS (Network Security Scanner)</B></FONT></H3>
<P>NSS (Network Security scanner) is a very obscure scanner. If you search for it
using a popular search engine, you will probably find fewer than 20 entries. This
doesn't mean NSS isn't in wide use. Rather, it means that most of the FTP sites that
carry it are shadowed or simply unavailable via archived WWW searches.</P>
<P>NSS differs from its counterparts in several ways, the most interesting of which
is that it's written in Perl. (SATAN is also partially written in Perl. ISS and Strobe
are not.) This is interesting because it means that the user does not require a C
compiler. This might seem like a small matter, but it's not. Crackers and hackers
generally start out as students. Students may acquire shell accounts on UNIX servers,
true, but not every system administrator allows his or her users access to a C compiler.
On the other hand, Perl is so widely used for CGI programming that most users are
allowed access to Perl. This makes NSS a popular choice. (I should explain that most
scanners come in raw, C source. Thus, a C compiler is required to use them.)</P>
<P>Also, because Perl is an interpreted (as opposed to compiled) language, it allows
the user to make changes with a few keystrokes. It is also generally easier to read
and understand. (Why not? It's written in plain English.) To demonstrate the importance
of this, consider the fact that many scanners written in C allow the user only minimal
control over the scan (if the scanner comes in binary form, that is). Without the
C source code, the user is basically limited to whatever the programmer intended.
Scanners written in Perl do not generally enforce such limitations and are therefore
more easily extensible (and perhaps portable to any operating system running Perl
4 or better).</P>
<P>NSS was reportedly written on the DEC platform (DecStation 5000 and Ultrix 4.4).
It generally works out the box on SunOS 4.1.3 and IRIX 5.2. On other platforms, it
may require basic or extensive porting.</P>
<P>The basic value of NSS is its speed. It is extremely fast. Routine checks that
it can perform include the following:</P>

<UL>
	<LI>sendmail
	<LI>Anon FTP
	<LI>NFS Exports
	<LI>TFTP
	<LI>Hosts.equiv
	<LI>Xhost
</UL>



<BLOCKQUOTE>
	<P>
<HR>
<FONT COLOR="#000077"><B>NOTE:</B></FONT><B> </B>NSS will not allow you to perform
	Hosts.equiv unless you have root privileges. If this is a critical issue and you
	do not currently have root, you might want to acquire a copy of Linux, Solaris X86,
	or FreeBSD. By getting one of these operating systems and installing it at home,
	you can become root. This is a common problem with several scanners, including SATAN
	and certain implementations of Internet Security Scanner. 
<HR>


</BLOCKQUOTE>

<P>As you might guess, some or most of these checks (except the Hosts.equiv query)
can be conducted by hand by any user, even without root privileges. Basically, NSS
serves the same function as most scanners: It automates processes that might otherwise
take a human weeks to complete.</P>
<P>NSS comes (most often) as a tarred, g'zipped file. (In other words, it is a zipped
archive created with gzip.exe, a popular compression tool similar to pkzip.exe.)
With the original distribution, the author discussed the possibility of adding greater
functionality, including the following features:</P>

<UL>
	<LI>AppleTalk scanning
	<LI>Novell scanning
	<LI>LAN manager networks
	<LI>The capability to scan subnets
	<LI>Briefly, the processes undertaken by NSS include
	<LI>Getting the domain listing or reporting that no such listing exists
	<LI>Pinging the host to determine whether it's alive
	<LI>Scanning the ports of the target host
	<LI>Reporting holes at that location
</UL>

<P>Although this is not an exhaustive treatment of NSS, there are some minor points
I can offer here:</P>

<UL>
	<LI>NSS does not run immediately after you unzip and untar it. Several changes must
	be made to the file. The environment variables must be set to those applicable to
	your machine's configuration. The key variables are
	<UL>
		<LI><TT>$TmpDir</TT>--The temporary directory used by NSS
		<LI><TT>$YPX</TT>--The directory where the ypx utility is located
		<LI><TT>$PING</TT>--The directory where the executable ping is located
		<LI><TT>$XWININFO</TT>--The directory where xwininfo is located
	</UL>
</UL>



<BLOCKQUOTE>
	<P>
<HR>
<FONT COLOR="#000077"><B>TIP:</B></FONT><B> </B>If your <TT>Perl</TT> <TT>include</TT>
	directory (where the Perl <TT>include</TT> files are located) is obscure and not
	included within your <TT>PATH</TT> environment variable, you will have to remedy
	that. Also, users should note that NSS does require the <TT>ftplib.pl</TT> library
	package. 
<HR>


</BLOCKQUOTE>


<UL>
	<LI>NSS has parallel capabilities and can distribute the scan among a number of workstations.
	Moreover, it can fork processes. Those running NSS on machines with limited resources
	(or running it without permission) will want to avoid these capabilities. These are
	options that can set within the code.
</UL>



<BLOCKQUOTE>
	<P>
<HR>
<FONT COLOR="#000077"><B>Cross Reference:</B></FONT><B> </B>You can find a copy of
	NSS, authored by Douglas O'Neal (released March 28, 1995) at <A HREF="http://www.giga.or.at/pub/hacker/unix"><TT>http://www.giga.or.at/pub/hacker/unix</TT></A>.
	This location was reliable as of November 20, 1996. 
<HR>


</BLOCKQUOTE>

<H3><FONT COLOR="#000077"><B>Strobe</B></FONT></H3>
<P>Strobe (The Super Optimized TCP Port Surveyor) is a TCP port scanner that logs
all open ports on a given machine. Strobe is fast (its author claims that an entire
small country can be scanned within a reasonable period of time).</P>
<P>The key feature of Strobe is that it can quickly identify what services are being
run on a given target (so quickly, in fact, that it takes less than 30 seconds to
pin down a server, even with a 28.8 modem connection to the Internet). The key drawback
of Strobe is that such information is limited. At best, a Strobe attack provides
the cracker with a rough guideline, a map of what services can be attacked. Typical
output from a Strobe scan looks like this:</P>
<PRE><FONT COLOR="#0066FF">localhost   echo     7/tcp Echo [95,JBP]
localhost   discard  9/tcp Discard [94,JBP]
localhost   systat   11/tcp Active Users [89,JBP]
localhost   daytime  13/tcp Daytime [93,JBP]
localhost   netstat  15/tcp Netstat
localhost   chargen  19/tcp Character Generator [92,JBP]
localhost   ftp      21/tcp File Transfer [Control] [96,JBP]
localhost   telnet   23/tcp Telnet [112,JBP]
localhost   smtp     25/tcp Simple Mail Transfer [102,JBP]
localhost   time     37/tcp Time [108,JBP]
localhost   finger   79/tcp Finger [52,KLH]
localhost   pop3     0/tcp Post Office Protocol-Version 3 122
localhost   sunrpc  111/tcp SUN Remote Procedure Call [DXG]
localhost   auth    113/tcp Authentication Service [130,MCSJ]
localhost   nntp    119/tcp Network News Transfer Protocol 65,PL4
</FONT></PRE>
<P>As you can see, the information is purely diagnostic in character (for example,
there are no probes for particular holes). However, Strobe makes up for this with
extensive command-line options. For example, in scanning hosts with large numbers
of assigned ports, you can disable all duplicate port descriptions. (Only the first
definition is printed.) Other amenities include</P>

<UL>
	<LI>Command-line option to specify starting and ending ports
	<LI>Command-line option to specify time after which a scan will terminate if it receives
	no response from a port or host
	<LI>Command-line option to specify the number of sockets to use
	<LI>Command-line option to specify a file from which Strobe will take its target
	hosts
</UL>

<P>Combining all these options produces a very controllable and configurable scan.
Strobe generally comes as a tarred and g'zipped file. Contained within that distribution
is a full man page and the binary.


<BLOCKQUOTE>
	<P>
<HR>
<FONT COLOR="#000077"><B>Cross Reference:</B></FONT><B> </B>You can find a copy of
	Strobe, authored by Julian Assange (released 1995), at <A HREF="http://sunsite.kth.se/Linux/system/Network/admin/"><TT>http://sunsite.kth.se/Linux/system/Network/admin/</TT></A>.
	
<HR>


</BLOCKQUOTE>

<H4><FONT COLOR="#000077"><B>Pointers</B></FONT></H4>
<P>In the unlikely event you acquire Strobe without also acquiring the man page,
there is a known problem with Solaris 2.3. To prevent problems (and almost certainly
a core dump), you must disable the use of <TT>getpeername()</TT>. This is done by
adding the <TT>-g</TT> flag on the command line.</P>
<P>Also, although Strobe does not perform extensive tests on remote hosts, it leaves
just as large a footprint as early distributions of ISS. A host that is scanned with
Strobe will know it (this will most likely appear as a run of connect requests in
the <TT>/var/adm/messages</TT> file).
<H3><FONT COLOR="#000077"><B>SATAN (Security Administrator's Tool for Analyzing Networks)</B></FONT></H3>
<P>SATAN is a computing curiosity, as are its authors. SATAN was released (or <I>unleashed</I>)
on the Internet in April, 1995. Never before had a security utility caused so much
controversy. Newspapers and magazines across the country featured articles about
it. National news broadcasts warned of its impending release. An enormous amount
of hype followed this utility up until the moment it was finally posted to the Net.</P>
<P>SATAN is, admittedly, quite a package. Written for UNIX workstations, SATAN was--at
the time of its release--the only X Window System-based security program that was
truly user friendly. It features an HTML interface, complete with forms to enter
targets, tables to display results, and context-sensitive tutorials that appear when
a hole has been found. It is--in a word--extraordinary.</P>
<P>SATAN's authors are equally extraordinary. Dan Farmer and Weitse Venema have both
been deeply involved in security. Readers who are unfamiliar with SATAN might remember
Dan Farmer as the co-author of COPS, which has become a standard in the UNIX community
for checking one's network for security holes. Venema is the author of TCP_Wrapper.
(Some people consider TCP_Wrapper to be the grandfather of firewall technology. It
replaces inetd as a daemon, and has strong logging options.) Both men are extremely
gifted programmers, hackers (not crackers), and authorities on Internet security.</P>
<P>SATAN was designed only for UNIX. It is written primarily in C and Perl (with
some HTML thrown in for user friendliness). It operates on a wide variety of UNIX
flavors, some with no porting at all and others with moderate to intensive porting.


<BLOCKQUOTE>
	<P>
<HR>
<FONT COLOR="#000077"><B>NOTE:</B></FONT><B> </B>There is a special problem with
	running SATAN on Linux. The original distribution applies certain rules that result
	in flawed operation on the Linux platform. There is also a problem with the way the
	<TT>select()</TT> call is implemented in the <TT>tcp_scan</TT> module. Lastly, if
	one scans an entire subnet at one time, this will result in a reverse fping bomb.
	That is, socket buffers will overflow. Nevertheless, one site contains not only a
	nicely hacked SATAN binary for Linux, but also the <TT>diff</TT> file. (A <TT>diff</TT>
	file is a file that is close but not identical to another file. Using the <TT>diff</TT>
	utility, one compares the two files. The resulting output consists of the changes
	that must be made.) These items can be found at <A HREF="ftp://ftp.lod.com"><TT>ftp.lod.com</TT></A>
	or one can obtain the <TT>diff</TT> file directly from Sunsite (<A HREF="ftp://sunsite.unc.edu"><TT>sunsite.unc.edu</TT></A>)
	at <TT>/pub/Linux/system/Network/admin/satan-linux.1.1.1.diff.gz</TT>. 
<HR>


</BLOCKQUOTE>

<P>The package comes tarred and zipped and is available all over the world. As the
name of the program (Security Administrator's Tool for Analyzing Networks) suggests,
it was written for