ch29.htm

来自「Maximum Security (First Edition) 网络安全 英文」· HTM 代码 · 共 1,136 行 · 第 1/4 页

allows <TT>your_company.com</TT> to masquerade as a real server. Thus, when users
point their browsers to <TT>www.your_company.com</TT>, they are reaching the ISP's
server. The ISP's server redirects the connection request to your directory on the
server. This virtual domain scheme is popular for several reasons, including cost.
It saves your company the trouble of establishing a real server and therefore eliminates
some of these expenses:

<UL>
	<LI>Hardware
	<LI>Software
	<LI>24-hour maintenance
	<LI>Tech support
</UL>

<P>Basically, you pay a one-time fee (and monthly fees thereafter) and the ISP handles
everything. To crackers, this might be important. For example, if crackers are about
to crack your domain--without determining whether your machine is truly a server--they
may get into trouble. They think they are cracking some little machine within your
internal offices when in fact, they are about to attack a large, well-known network
provider.</P>
<P>Telnet instantly reveals the state of your server. When a cracker initiates a
Telnet connection to <TT>your_company.com</TT> (and on connect, sees the name of
the machine as a node on some other, large network), he or she immediately knows
that your address is a virtual domain.</P>
<P>Moreover, Telnet can be used for other nefarious purposes. One is the ever-popular
<I>brute-force</I> attack. I am not sure why brute-force attacks are so popular among
young crackers; almost all servers do some form of logging these days. Nevertheless,
the technique has survived into the 1990s. These attacks are most commonly initiated
using Telnet clients that have their own scripting language built in. Tera Term is
one such application.</P>
<P>Tera Term sports a language that allows you to automate Telnet sessions. This
language can be used to construct scripts that can determine valid usernames on a
system that refuses to cough up information on finger or sendmail-expn queries. Versions
of Telnet reveal this information in a variety of ways. For example, if a bogus username
is given, the connection will be cut. However, if a valid username is given, a new
<TT>login:</TT> prompt is reissued.


<BLOCKQUOTE>
	<P>
<HR>
<FONT COLOR="#000077"><B>Cross Reference:</B></FONT><B> </B>Tera Term can be found
	on the Web at <A HREF="http://tucows.phx.cox.com/files/ttermv13.zip"><TT>http://tucows.phx.cox.com/files/ttermv13.zip</TT></A>.
	
<HR>


</BLOCKQUOTE>

<P>Moreover, Telnet is a great tool for quickly determining whether a particular
port is open or whether a server is running a particular service. Telnet can also
be used as a weapon in denial-of-service attacks. For example, sending garbage to
certain ports on an NT Web server under IIS can cause the targeted processor to jump
to 100 percent utilization. Initiating a Telnet session to other ports on an NT Web
server can cause the machine to hang or crash. This is particularly so when issuing
a Telnet connection request to port 135.


<BLOCKQUOTE>
	<P>
<HR>
<FONT COLOR="#000077"><B>Cross Reference:</B></FONT><B> </B>A fix for this problem,
	issued by Microsoft, can be found at<TT> </TT><A HREF="ftp://ftp.microsoft.com/bussys/winnt/winnt-public/fixes/usa/nt40/hotfixes-postS"><TT>ftp://ftp.microsoft.com/bussys/winnt/winnt-public/fixes/usa/nt40/hotfixes-postS</TT></A>
	
<HR>


</BLOCKQUOTE>

<P>One can also crash Microsoft's Internet Information Server by Telnetting to port
80 and issuing a <TT>GET.../...</TT> request. Reportedly, however, that problem was
remedied with the Microsoft Windows NT Service Pack 2 for Windows NT 4.0. If you
do not have that patch/service pack, get it. A good treatment of this and other problems
can be found in the Denial of Service Info post, posted by Chris Klaus of Internet
Security Systems. In it, Klaus writes:

<DL>
	<DD>The file sharing service if available and accessible by anyone can crash the
	NT machine and require it to be rebooted. This technique using the dot...dot bug
	on a Windows 95 machine potentially allows anyone to gain access to the whole hard
	drive...Solution: This vulnerability is documented in Microsoft Knowledge Base article
	number Q140818 last revision dated March 15, 1996. Resolution is to install the latest
	service pack for Windows NT version 3.51. The latest service pack to have the patch
	is in service pack 4.
</DL>



<BLOCKQUOTE>
	<P>
<HR>
<FONT COLOR="#000077"><B>Cross Reference:</B></FONT><B> </B>Visit the Denial of Service
	Info post at <A HREF="http://geek-girl.com/bugtraq/1996_2/0052.html"><TT>http://geek-girl.com/bugtraq/1996_2/0052.html</TT></A>.<BR>
	
<HR>
</P>
	<P>
<HR>
<FONT COLOR="#000077"><B>NOTE:</B></FONT><B> </B>This was only a vulnerability in
	the Internet Information Server 2.0 World Wide Web server (HTTP). Later versions
	of IIS are reportedly clean. 
<HR>


</BLOCKQUOTE>

<P>Finally, Telnet is often used to generate fakemail and fakenews. Spammers often
use this option instead of using regular means of posting Usenet messages. There
are certain options that can be set this way that permit spammers to avoid at least
some of the screens created by spam-killing robots on the Usenet network.
<H2><FONT COLOR="#000077"><B>Summary</B></FONT></H2>
<P>Telnet is a very versatile protocol and, with some effort, it can be made secure.
(I personally favor SSH as a substitute, for it prevents against snooped Telnet sessions.)
Nevertheless, Telnet is not always secure out of the box. If you are using older
software (pre 1997), check whether the appropriate patches have been installed.</P>
<P>Telnet can also be used in a variety of ways to attack or otherwise cull information
from a remote host (some of those are discussed in this chapter). By the time this
book is released, many more Telnet attack techniques will have surfaced. If you run
a network and intend to supply your users with Telnet access, beware. This is especially
so on new Telnet servers. These new servers may have bugs that have not yet been
revealed. And, because Telnet is so interactive and offers the user so much power
to execute commands on remote machines, any hole in a Telnet distribution is a critical
one. It stands in the same category as FTP or HTTP in this respect (or is perhaps
even worse).
<H3><FONT COLOR="#000077"><B>Resources</B></FONT></H3>
<P><B>Sendmail Bug Exploits List.</B> Explains methods of attacking sendmail. Some
of these techniques use Telnet as the base application.

<UL>
	<LI><A HREF="http://www.crossroads.fi/~tkantola/hack/unix/sendmail.txt"><TT>http://www.crossroads.fi/~tkantola/hack/unix/sendmail.txt</TT></A>
</UL>

<P><B>Improving the Security of Your Site by Breaking Into It.</B> Dan Farmer and
Wietse Venema.

<UL>
	<LI><A HREF="http://stos-www.cit.cornell.edu/Mark_html/Satan_html/docs/admin_guide_to_cracking.html"><TT>http://stos-www.cit.cornell.edu/Mark_html/Satan_html/docs/admin_guide_to_cracking.html</TT></A>
</UL>

<P><B>The Telnet Protocol Specification (RFC 854).</B> J. Postel and J. Reynolds.
May 1983.

<UL>
	<LI><A HREF="http://sunsite.auc.dk/RFC/rfc/rfc854.html"><TT>http://sunsite.auc.dk/RFC/rfc/rfc854.html</TT></A>
</UL>

<P><B>The Telnet Environment Option (RFC 1408).</B> D. Borman, Editor. Cray Research,
Inc. January 1993.

<UL>
	<LI><A HREF="http://sunsite.auc.dk/RFC/rfc/rfc1408.html"><TT>http://sunsite.auc.dk/RFC/rfc/rfc1408.html</TT></A>
</UL>

<P><B>Telnet Environment Option (RFC 1572). </B>S. Alexander.

<UL>
	<LI><A HREF="ftp://ds.internic.net/rfc/rfc1572.txt"><TT>ftp://ds.internic.net/rfc/rfc1572.txt</TT></A>
</UL>

<P><B>Telnet Authentication: SPX (RFC 1412).</B> K. Alagappan.

<UL>
	<LI><A HREF="ftp://ds.internic.net/rfc/rfc1412.txt"><TT>ftp://ds.internic.net/rfc/rfc1412.txt</TT></A>
</UL>

<P><B>Telnet Remote Flow Control Option. (RFC 1372).</B> C. Hedrick and D. Borman.

<UL>
	<LI><A HREF="ftp://ds.internic.net/rfc/rfc1372.txt"><TT>ftp://ds.internic.net/rfc/rfc1372.txt</TT></A>
</UL>

<P><B>Telnet Linemode Option (RFC 1184).</B> D.A. Borman.

<UL>
	<LI><A HREF="ftp://ds.internic.net/rfc/rfc1184.txt"><TT>ftp://ds.internic.net/rfc/rfc1184.txt</TT></A>
</UL>

<P><B>The Q Method of Implementing Telnet Option Negotiation (RFC 1143).</B> D.J.
Bernstein.

<UL>
	<LI><A HREF="ftp://ds.internic.net/rfc/rfc1143.txt"><TT>ftp://ds.internic.net/rfc/rfc1143.txt</TT></A>
</UL>

<P><B>Telnet X Display Location Option (RFC 1096).</B> G.A. Marcy.

<UL>
	<LI><A HREF="ftp://ds.internic.net/rfc/rfc1096.txt"><TT>ftp://ds.internic.net/rfc/rfc1096.txt</TT></A>
</UL>

<P><B>Telnet Binary Transmission (RFC 856).</B> J. Postel and J.K. Reynolds.

<UL>
	<LI><A HREF="ftp://ds.internic.net/rfc/rfc856.txt"><TT>ftp://ds.internic.net/rfc/rfc856.txt</TT></A>
</UL>

<P><B>Remote User Telnet Service (RFC 818).</B> J. Postel.

<UL>
	<LI><A HREF="ftp://ds.internic.net/rfc/rfc818.txt"><TT>ftp://ds.internic.net/rfc/rfc818.txt</TT></A>
</UL>

<P><B>Discussion of Telnet Protocol (RFC 139).</B> T.C. O'Sullivan. Unfortunately,
this RFC is no longer available online.</P>
<P><B>First Cut at a Proposed Telnet Protocol (RFC 97).</B> J.T. Melvin and R.W.
Watson. Unfortunately, this RFC is no longer available online.</P>
<P><B>The Telnet Authentication Option.</B> Internet Engineering Task Force Internet
Draft. Telnet Working Group. D. Borman, Editor. Cray Research, Inc. February 1991.

<UL>
	<LI><A HREF="http://web.dementia.org/~shadow/telnet/preliminary-draft-borman-telnet-authentication-00.html"><TT>http://web.dementia.org/~shadow/telnet/preliminary-draft-borman-telnet-authentication-00.html</TT></A>
</UL>

<P><B>Telnet Authentication: Kerberos Version 4 (RFC 1411). </B>D. Borman, Editor.
Cray Research, Inc. January 1993.

<UL>
	<LI><A HREF="ftp://ds.internic.net/rfc/rfc1411.txt"><TT>ftp://ds.internic.net/rfc/rfc1411.txt</TT></A>
</UL>

<P><B>STEL: Secure Telnet.</B> Encryption-enabled Telnet. David Vincenzetti, Stefano
Taino, and Fabio Bolognesi.

<UL>
	<LI><A HREF="http://idea.sec.dsi.unimi.it/stel.html"><TT>http://idea.sec.dsi.unimi.it/stel.html</TT></A>
</UL>

<P><B>Session-Layer Encryption.</B> Matt Blaze and Steve Bellovin. Proceedings of
the Usenix Security Workshop, June 1995.</P>
<P><B>Attaching Non-TCP-IP Devices with Telnet.</B> Stefan C. Johnson. <I>Sys Admin:
The Journal for UNIX Systems Administrators</I>. June 1996.</P>
<P><B>Secure RPC Authentication (SRA) for Telnet and FTP.</B> David K. Hess, David
R. Safford, and Douglas Lee Schales. Proceedings of the Fourth Usenix Security Symposium,
Supercomputer Center, Texas A&amp;M University, 1993.</P>
<P><B>Internetworking with TCP/IP Vol. 1: Principles, Protocols and Architecture.</B>
Douglas Comer. Prentice Hall. 1991.

<UL>
	<LI><A HREF="http://www.pcmag.com/issues/1606/pcmg0050.htm"><TT>http://www.pcmag.com/issues/1606/pcmg0050.htm</TT></A>
</UL>

<P><B>Terminal Hopping.</B> Karen Bannan. <I>PC Magazine's InternetUser</I>--CRT,
Version 1.1.4 (01/30/97).

<UL>
	<LI><A HREF="http://www.pcmag.com/iu/util/telnet/vdcrt114.htm"><TT>http://www.pcmag.com/iu/util/telnet/vdcrt114.htm</TT></A>
</UL>

<P><B>Telnet &amp; Terminal Emulation.</B> <I>PC Magazine's InternetUser</I>. January
30, 1997.

<UL>
	<LI><A HREF="http://www.pcmag.com/iu/roundup/ru970130.htm"><TT>http://www.pcmag.com/iu/roundup/ru970130.htm</TT></A>
</UL>

<P><B>EFF's (Extended) Guide to the Internet--Telnet.</B> Adam Gaffin. <I>Mining
the Net</I>, Part I.

<UL>
	<LI><A HREF="http://cuiwww.unige.ch/eao/www/Internet/Extended.Guide/eeg_93.html"><TT>http://cuiwww.unige.ch/eao/www/Internet/Extended.Guide/eeg_93.html</TT></A>
</UL>

<CENTER>
<P>
<HR>
<A HREF="../ch28/ch28.htm"><IMG SRC="../button/previous.gif" WIDTH="128" HEIGHT="28"
ALIGN="BOTTOM" ALT="Previous chapter" BORDER="0"></A><A HREF="../ch30/ch30.htm"><IMG
SRC="../button/next.gif" WIDTH="128" HEIGHT="28" ALIGN="BOTTOM" ALT="Next chapter"
BORDER="0"></A><A HREF="../index.htm"><IMG SRC="../button/contents.gif" WIDTH="128"
HEIGHT="28" ALIGN="BOTTOM" ALT="Contents" BORDER="0"></A> <BR>
<BR>
<BR>
<IMG SRC="../button/corp.gif" WIDTH="284" HEIGHT="45" ALIGN="BOTTOM" ALT="Macmillan Computer Publishing USA"
BORDER="0"></P>

<P>&#169; <A HREF="../copy.htm">Copyright</A>, Macmillan Computer Publishing. All
rights reserved.
</CENTER>


</BODY>

</HTML>