Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
myhack58佚名MYHACK58:6220054763
HistoryNov 21, 2005 - 12:00 a.m.

Remote attacks learn ABC—from SATAN to start the vulnerability gathering-vulnerability warning-the black bar safety net

2005-11-2100:00:00
佚名
www.myhack58.com
18
JSON

My statement of finishing this article in mind not to encourage more people to engage in destruction, just want to note one thing. If you think this article can teach you anything, then you are also wrong, because often ittechnologydepending on your experience, and the experience of which something need to own to practice. Of course, the most important is this article in General is still relatively messy.

#Vulnerabilitythe concepts of:
Vulnerabilityare hardware andsoftwareor security policy errors caused by the defect, which can make someone able to use this flaw in the system unauthorized access to system or damage the system’s normal use. These defects can affect the scope of the network is very large, which includes routers, customers andserviceprogram, theoperating system, and_blank">firewall, etc.
Vulnerabilityby itself does not himself appear, it depends on the person discovery. And every day you see those“latest”securityvulnerabilityis described, these may be a HACKER, SecurityServiceorganization, its program producers or there is a restless person. And thesevulnerabilitiesthe information is based on the different ways to publish. If thisvulnerabilityis the securityservicesor is the HACKER there is a program producer found the words then it will timely appear in some of the securityinfomailing list or BBS, in order to network units of the query and make up. And those who are restless that thevulnerability, typically by destroying a pile or more of theserviceto“publish”. This example you can use last year Microsoft of a bug to confirmed. Because Microsoft and SecurityServiceto accept to thisvulnerabilityinformation at the cost of nearly a million unitsserviceis Denial of Service. I remember last year in the subscription of foreign a network destruction of the organization’s internal mailing list to receive a on Unix a buffer overflowexploit, it can affect to the Unix version
The present lot and the degree of danger is not small. But thisvulnerabilitythe last to be patched by the securityservicesto organize the release is in a month and a half after this short of a month and a half the hurt of theserviceis a large heap, which also includes the United States of MILNET and India a NuclearResearch.

#Found safevulnerability: the
Want to findvulnerabilitiesis a complex process, it requires you to become familiar with a variety of languages and a considerable networktechnology. But I say in advance, I did not find what may be worthy of notevulnerability, you can be understood as I just know this is how it goes on the line.:)
Here I want to from two-part to describe, the first is thevulnerabilityhow to produce and artificially produce a security weakness; the second is that we as a General user how can get the targetserviceexist in some of thevulnerabilities. But last month on the Net. kook on the BBS Ghastful-elf with hair the Simple Discover Safety Failing in this he system tells the story of produce avulnerabilityand they have in common, so I don’t have to waste our time to go to the description, it only says the other.

How to get systemvulnerabilityinformation
Of course is scanning. The scanner’s automatic detection of remote or local security weaknesses of the program. While the real scanner is a TCP port scanner, so some of the program can specify some of theTCP/IPport ftp, etc., as well as herserviceis detected, recorded live from each target machine returns information. This can help you collect on the target host of useful information. And the other like a host, rusers only some Unix on the network
Application, these generally used in the observation of some kind ofserviceis working properly. The scanning program is also a lotattackare more commonly used, manyattacksstart from scan advanced.
One, SATAN–Satan
SATAN this program should be, you know, it is Dan Farmer and Weitse Venema with C, Perl and some HTML specifically for Unix and the design of the analysis network security management and detection, reports of thetool, the use of which can be collected to the target host of a lot of information. It can be in many Unix platforms running on, most do not require a transplant. SATAN is indeed very old, but it is currently in the field of network security in the role but there has been no recession, it is also worth me to describe it. SATAN features include extensible framework, the friendly interface and the detection system is a scalable method. Its overall structure allows the user to easily add additional detector, it can facilitate the rapid automatic detection of many system, which is SATAN from the 1 9 9 5 years 4 months since the release of can become the field of network security important program one of the reasons.
SATAN has a very important and very peculiar feature, this feature also reflects its Creator’s philosophy is very clear, he understands what this is doing. That is SATAN’s automaticattackprogram. Because the creators putinvasionas the safest and most prudent part.
In a further discussion of SATAN before it is necessary to first understand SATAN are capable of what, if you frequently update yourvulnerabilityinformation, then this SATAN is the best. Because it can be swept to the target host many of the knownvulnerability. Specific performance:
●FTPD vulnerability and the ftp directory is writable.
Most current Unix systems providing FTPD(some versions of Unix are in. ftpd)daemon, but start without parameters to start, sometimes a lot ofthe invasionto control to the host after trying to get the more advanced features of the FTPD will do a restart of the machine processing, in the start-FTPD will add some parameters…
●NIS vulnerabilities
NIS is a network-queryservice, it can be all contains the system administrator information of the file stored in a specified host on the originating from the network of other users to provide this information.
●RSH vulnerability
It is Unix in aserviceprogram that can execute the specified command.
●The NFS vulnerability
NFS is a network file system, a method that allows a machine through theTCP/IPnetwork connection using another machine on the disk space and the file ofProtocol. It has now become a Int-address and interface address; on distributed access of a de facto standard.
●Xservicethe vulnerability of
●Sendmailservicethe vulnerability of
Sendmail’s main function is forwarding the mail. From the Sendmail can give some, such as the current time and the host number, etc…
The specific contents of the scan performance:
●A writable anonymous FTP root directory
●By means of TFTP to an arbitrary file access
●From any host on the REXD access
●The NIS password File can be any host to access
●To any host to bring up the NFS file system
●XserviceControllerServerServiceController invalid
●The old version in the 8. 6. 1 0 before Sendmail(as far as I know now this did not seem to.
We start with the SATAN of the installation talking about it. SATAN than the General scanning procedures consume more resources, especially memory and CPU functional aspects more demanding. And it also requires a set of Perl5. 0 The above script interpreter support, you also need a browser, because it at run time will automatically start the browser. SATAN packages the head is relatively large, easy to expose the target, so you’re looking for SATAN the mounting platform of time to think about the above points, otherwise it is likely in vain Kung Fu. SATAN installed generally where directory is/satan -1.1.1(a few different). Before installation, first run the Perl program reconfig, use it to search a variety of different components, and customize the directory path. If you encounter those who did not take the browser installed in the standard directory and not in the PATH in Settings then have your own manual settings, because the reconfig could not be found. There is met not with DNS refers to your own machine, then it must be in/satan-1.1.1/conf/satan. cf for$dont_use_nslookuo=1 is set; finally, you may be in a distributed system running on SATAN’s install program, IRIX or SunOS, but at compile time you may have to pay more attention to it, and very error-prone. SATAN can automatically scan the entire subnet, harnessing it easily. But before use you must have a minimum of the networkattackthe ordinaryknowledge. Generally on Unix toattackare mostly primary goal is to get a regular login user, I think this in a lot of beginners are mentioned in/etc/passwd or NIS map the encrypted password copy access, give after you can use the Crack to guess at least one password. It’s obvious that out of a single hostattacksuperiority, focus on the target host with thevulnerabilitycoexist in the system, also understood as a system fiduciary to the target system, each system is connected in a physical online or of each system with the same user, thenattackthe initiator can use the DNS cache to crash or IP spoofing masquerading as a trusted system, or the user, may also be in a trusted host or is in the disguise of a relationship of trust with the target machine transmission between the rack up a barrier, i.e., the so-called package intercept to intercept to the target machine with the respective machine-to-machine data. And by far the most common is for the first user password to find, which is above the description of the/etc/passwd or NIS. SATAN can help you to search the target system is not added to the limit of NFS allow root to read and write, or the root scripts, in other words SATAN can create your collection to the target machine for each user of the management-level or root-level access to the system. If with SATAN to a station without security in the Unix words, there is no need for you to do any complex process, it can be for you to get the system entry point or to find some do not need the level of user permissions you can control system. This speech the ITL Scale said ITL9 level, SATAN can cross it.
Because in SATAN, the author wrote into theattackprogram, which can simulate theinvasionto automate the system[invasion](<http://hackbase.com/hacker&gt; a).
This is in Farmer&Venema93 years co-author of the Improving the Securty of Your Site Breaking Into It and Farmer of the computer-Oracle and passwd system COPS of has a detailed description, even now, has been for a few years, but these two writings still maintains its authority and importance.
Generally speaking, are generally remoteattackthe first stage is to get the system on a user name and passwd, and the first step can be divided into for the target host to establish a securityvulnerabilitythe list and the information in the library two steps, attackby the target host of thevulnerabilitywith the opportunity to match, and gain access to the system; The second stage is to get the root access, once you can get root access, so this machine already can be said to be completely controlled; the third stage is the extension of access rights to the other networksattack, this phase also includes cleaning upattackwhen the traces left, so you can put your hide up and not be found for this reason it was written specially for some hidden traces of thetool The most famous is the Kit Vtivoy rootkit, rootkit including ps, ls, sum, the who, etc., the rootkit itself can tamper with the system within the ps, ls, sum, the who and other information of the output, so the administrator cannot determine the binary Integrity Integrity, because the sum is infected, is infected with the ps you cannot display theattackto run the program, however the rootkit this program because the author just wanted to doartto the Exchange so no public release, it is generally not easy to get it if you good luck can be toftp://semxa.technotr.com/tools/in the“Find”to it. And SATAN can do is first, second-order section.

To think of SATAN doing a detailed presentation and description, I thought it might give a book to describe. Here of course, not so detailed to do, so try to use examples to illustrate it. Fromattackthe angle to be, first to determine a virtualattackthe target and then jack in it.
It iswww.semxa.com, then this goal to fly the General steps described below.
A\The first step sameness, and that is to collect the target machine information. For a brief but detailed description of SATAN’s functions, first to do is not SATAN, www.semxa.comto scan, but turn their backs on SATAN outside thetoolor is completely hand finished it. Because I think that more persuasion is.
1, to obtain the host name and IP address to:
By running a whois and nslookup can be obtained semxa. com domain dns1. semxa. com and several other host, then use the named-xfer program execution results and the whois, nslookup results together with the analysis, so get in semxa. com domain in those DNSservicewith network connection. By this time a simple are ping each host can be obtained these hosts are those that are in the Firewall after and so forth.
At the same time also give semxa. com run ftp, telnet, SMTP, etc. [services](<http://vip.hackbase.com/ s).
However, manyattacksare not used to this! Just directly ping the host to obtain an IP, the other does not make a judgment. In here, get the IP address: 4.4.4.4
2, Get system OS type information:
Usuallyattackwho are accustomed to using telnet to determine the system’s OS, because it obtained information is more reliable. Sometimes only one telnet because the system did to protect so may not be able to detail such as OS specific type, version or hardware platform, etc. as a result, the attackwho will try to use the default of no password for the account login system, these accounts are: guest, lp, nuucp, the tour, the demos, the 4Dggifs9, root and so on. If a telnet daemon allows you to send it to the environment variables and do not do any receiving limit then it’s a good start. Of course, administrators do not think so or ;-)or; on 3, get the FTPD information:
A simple ftp login, on the start line of the General will to the publication of this information. As
#ftp www.semxa.com
Connected to www.semxa.com
2 2 0 www.semxa.com FTP server(Digital UNX Version wed Apr 8
0 9:2 1:5 3 EDT 1 9 9 8) ready.

This time you can use the anonymous user ftp or anonymous to try to login, anonymous Ftp toattackto collect information is very important.
User (www.semxa.com none)): ftp
5 3 0 User ftp access denied
The Login failed.

However this does not allow anonymous users to log in, then get the FTP server of the weaknesses is also necessary, although that is currently quite often for the FTP server the weakness of not more cause the attention, but I think the near future FTP Server on the weaknesses likely to be a deathblow to.
4, get the Sendmail information:
Directly with telnet connected to the SMTP end-2 of 5 to obtain information. Sendmail was originally
The design did not consider their safety, so also is avulnerability.
#telnet www.semxa.com 2 5
2 2 9 www.semxa.com Sendmail 8.8.7/8.8.7 ready at Mon Apr
Here to get the Sendmail version 8. 8. 7,which configuration file version is 8. 8. 7 in. If here version is 8. 6. 1 0 previously, then I can stop there. Because a full can on top of it to find a couple of availablevulnerabilityto the end of thisattackof the first stage.
5, a UDP/TCP scan to obtain information:
Such to do if you want to obtain the target system in the/etc/inetd. conf file information. These files provide the assumed listener portserviceto the list, they allow it to be a telnet connection. But doing so is a waste of time, for TCP the port can rely on the more efficient way such as the use of Strobe(ftp://semxa.technotr.com/tools/to get to completion, but note that Strobe left traces of the problems. I like its speed, but also because it does not need money to login.: -) While the UDP port can be used COAST(ftp://semxa.technotr.com/tools/ to finish. These information those desirable those non-cash earlier, don’t go to the bother. Like put all the information collected after the completion of their own on these information to make a list and then slowly analysis.
6, access to Portmap information:
Networkservice, mainly through three mechanisms, which are: always monitor port of the Network guardianship course, inetd listens to the port and in the inetd get a connection request is called when the network program, as well as with the Portmap program as a specific program requestdynamicto assign a response port of rpcservice. For the collection of such information may use the rpcbind(ftp://semxa.tech-notr.com/tools/ to program completion, this program is also Weitse Venema wrote.
7, get Boot information:
Here mainly want to do is get the same LAN segment within the bootpsserviceto access, via a ping to determine the target machine’s LAN address, and the ping will make the target machine generates an ARP request packet, in this packet contains the target machine’s LAN address, then you can dump the target system’s ARP tells the cache… This is the case! Need you to talk to the target host on the same LAN, and now the semxa. com is not so. So this piece of information even be able to get there will not be too useful. Of course, if you can get the words then prove with semxa. com is within a LAN. You can when these words are nonsense.:)
8, try the finger and rusers, and rwho to get the information:
finger used to display the user information, The specific approach can be seen everywhere. And rusers are used to display a remote host the login user list. rwho talk to who is a bit the same, rwho is displayed in the local network and the host there are those people in the landing. rusers will be produced with the finger in a similar list, but rusers you can not query a single user’s information. Performance:#rusers -1 www.semxa.com
rwho forattackto say not very useful information, but if you talk to the target host is on the same LAN, then it may be a different matter, rwho dependent on its daemon rwhod, the responsibility is to other rwhod programs regularly broadcast in this time period who on the system information.
9, access to the NFS Export information:
NFS is a system program, which is mainly responsible for the file transfer operation of the NFSProtocol, also can use the MOUNTProtocolID to access the file system and where the remote host. NFS has a good scalability, information access, transparency, simplifies Central support tasks and network management, etc. advantages. But it’s on safety but there is a big problem. NFS uses a client/server structure system, the client is the use of a remote directory of the system, then in this case the remote directory is like its own local file system is part of the same; and the server provides a local resource can be a remote host installationservice, allows on the disk for the directory or file by other host access. Network file system is via NFS s-erver mounted file system to the client file system and can be achieved. NFSProtocolis only responsible for the file transfer to work, but is not responsible for connecting file system. In the server side there is a called the mountd daemon is responsible for the installation task, the response of the installer responsible for maintenance included in the installation work in a series of host name and path name, generally in Unix to have to share the remote directory is mounted to the local process called the“installation mountd directory”, then as the remote access is provided by a directory called“output exporting directory”, the former is the client of the function, which is a server function.
In Unix, there is a query message of the showmount command, it is in the role of a NFS on the host with a remote NFS information. If a remote host is by rpcinfo-p to display the installationservice, then use the showmount command can be asked to the rpc. nounted in detail. Its parameters include the showmount-a command prints a column has been loaded The output file system of the host and the showmount-e command requests the printing of the list contained by the NFS exported file system as well as its authorization. NFS uid 1 6-bit is a very significant example, an NFS server relies on the client authentication, but this authentication is just a request for the IP add,there is a claim that the client uid of 0+2^1 6=6 5 5 3 6
The user is accept and not remapped to a new UID. When the user requests access with the file, the uid of the comparison only the lower 1 6 bits, it will allow the user to masquerade as root. In itself, the NFS should be not Internet open, even if you need to do but also can only be read. If that can be the root can write, then this is for network security to be a laughing stock. NFS depends on client-side authentication. If the showmount output of the information to be analyzed while looking for itvulnerability, the use of many, such as Nfsbug, the nfsmunu and othertoolsit is possible for NFS to jack in.

1 0, access to the NIS information:
The Network InformationServiceNIS, formerly called Yellow Pagesservice are allowed in a unit or organizational structure of the shared system management aspects of the informationdatabase, such as user groups, password files, NIS can be an important management document provides importantservice, and automatically transfer these files. The use of NIS can achieve centralized management purposes, no longer so troublesome in more than one different machine to modify the file, to ensure that the entire network management information on the consistency. The NIS is also based on client/serviceController Model. By NIS to access the samedatabaseof the client set is called a domain. Those for network queriesdatabaseusually consists of several standard Unix file conversion, and thesedatabaseis generally referred to as the NIS image. NIS domain the concept is similar to DNS in the domain.
In a NIS domain for all of thecomputernot only the share of the NISdatabasefiles, but also share the same NIS server. In order to access the NIS information a host must have a corresponding domain name, and can only belong to one specific domain. The NIS master server holds all of thedatabasefile and to provide customers withthe numberData libraryaccess and some other relevantservice. NISdatabaseASCII code files are generally stored in the/var/yp/dom-inname it. And under Unix by the command:#domainname x can to check or set the NIS domain name. NIS server in the NIS/yp domain in all of the system distribution ondatabasefile, generally do not do testing, as long as the other person is your own NIS domain and know the name of each ypbind user. This is obviously in terms of security is not what good things, but theattackto say it is a good phenomenon. If using ftp or telnet the smtp Send N times the request, cause the NIS client requests in response to the occurrence of unresponsive phenomenon, thus making the NIS client to broadcast a request, this request with another NIS server is connected.
Thenattacktime for this request to respond, let it connected to their system, and to the client issuing the password mapping, if so complete finished, then it can be the end of thisattackof the first stage.
As a Manager, NIS with NFS, should not be on the Internet is accessible. More should not be in the untrusted environment. Maintain good NIS domain name is secret and difficult to guess.
1 1, to obtain the Web server information:
To collect Web server information isattackin a main link, and while said Web daemon httpd does not occur indirectly exposed server information, but the Web page on the information but many are useful,of course,this is useful forthe attackare concerned. For example, amailthe user name may correspond to the is a login system user name and so on. And CGI, ASPvulnerabilityisattackare utilized toattacksystem events are also not uncommon. Here you can to get semxa. com the Web page path to do some testing. Simple to use browser eyes more than watching the bottom left corner you can get a page of the storage path, most of the time will also get information about the local environment and the URL of the information if the target machine on which the URL is hidden then this is not there. By establishing a Web site and make semxa. com within members of the machine with it connected, so you can get some customer information, but also only useful in a LAN. I generally use the browser to observe, the temporarily believe that useful information will be recorded

1 2, access to the NNTP NetworkNewstransmissionProtocol for information:
Many times through NNTP isattackto obtain the target host information is the best way. NNTP itself is used in thenewsset server the exchange between thenews agreement, it also applies tonewsthe browser with thenewsserverProtocol. Carefully search each to the target host address in the transmission networknewsyou will find that there is also a target host within the delivery source of the Email address or part by the target host, the user delivery of the message. But regardless of from where thisattackwill be collected by the target host information. While NNTP may be in the delivery when you choose to trust the host to protect its information. But such as tin can be explained in thenews, dive into the MINE statement can be delivered by itself but hidden a mistake. If there is a to. rhost file to do external ftp MINE statement, then it will be very easy to trustattackto open the system door. This security is not a good thing.
1 3, collection on the Routing Information:
Get the target host where the gateway is run thisattackis very important. Because the gateway program trust from the unauthorized source of the routing packet. Of course, first you have to understand that gateway and the host. The gateway is connected to more than one network device, it may have the option to put the data from one network is forwarded to the other network. The router is a dedicated gateway. And the gateway of the routing program allows the to the other routing daemons to broadcast routing table information, these routing packets can be used to establish the target host each system in the routing table diagram, which is also helps to this domain within the system Jane table to add host name. These queries can use netstat-nr to complete. By query can know that the target segment of the IP is taken to which router connect.
1 4, get identd info:
Obtain the target host is running one or more of the identd server, which for judged with connection network information. Like to get running pidentd, then at least I can get some user information and system version information. For example when now I have an awareness of who he is in my ICQ, and he is also semxa. com of a user, at this time he is landing in semxa. com, then I can use ICQ send a message to him to hold with his connect so I can usetoolSOidlook(ftp://semxa.technotr.com/tools/ to get the identd information. Get the identd information is useful, for semxa. com auth port use ICQ with semxa. com the user’s connection and then do N times the connect attempt, the impersonation as the user and then fumble some, such as the FTP server, bounce, etc. vulnerability, if any, specify the shell or the registered port as the server’s target port, and scan client on all possible port. If you can match the words then you can get useful rsh or rlogin to semxa. com access rights of the user. Now of course this is just guesswork. The most important thing is to be able to get identd information.
1 5, to obtain the IP layer information:
I need to know semxa. com whether or not to allow IP source Routing and IP forwarding. In the transport layer by the IP forwarding to the NEtWork sends a packet to try to get a response. But lucky it’s firewall wasn’t so poor. Shortcuts no, but you can also use the Kit Vtivoy the route tracing program Rtracker(ftp://semxa.technotr.com/tools/ to complete, through the loose source routing with the-g option from the source routing to the target routing to send a packet if we can get a response then if OK. Get whether to allow IP source Routing and IP forwarding because the IP packet segment itself insecure. If by Packet pry to see this segmentation happen, the idea can be intercepted connected at the same time and then deceiving the TCP header the use of this segment to get
The root of the impersonation of. I tried tcpdump but no harvest. A few days ago that bit from the Gallo Mr rhinoceros here mentioned to be at the right time"passed aggravate the load begets of middle router fragments…" (CITE), did not know he could be the step into text and everyone Share.
1 6, to obtain Simple network Management Protocol(SNMP)information:
SNMP is one that allows a remote program easy NetWork Management server, it is a Simple NetWork ManagementProtocol, andTCP/IP NetWork like router, switch, hub for communication of a series of standards. Via SNMP you can get to the host and route information. Collect SNMP information from the SNMP transfer request is remembered. An SNMP request includes a Community name, which is used on the target system snmpd daemon is the authentication access request, and the request has two kinds, one is the SNMP GetRequest; another is an SNMP SetRequest, here I will not assume that you have mastered on SNMPart, because We here of MOSES Dave Goldsmith that Article a < once The attacked on entireness using SNMP > and more than anything detailed, you need to go read it(if you haven’t seen it). But I
Personally think that SNMP-tomorrow won’t be long.
1 7, other more information:
In fact in the acquisition time information of each data are not should be let go because of a momentary negligence may make you lose opportunities. Understanding the target host all the information, which the final finishing is very useful. In addition to the above said than you should also get more if there isTime like whether the Packet pry, NTP, relay chat, talk, systat, gopher, UUCP, CGI, compiler information, and so on. Since recently, UUCP security issues have been at the GOLD COAST on the discussion more lively, and I’m in a period of time is also very attention to UUCP, but from the last Chameleon“UUCP-the age-old UUCP of the safety problem”, which can be used also as the“age-old”in my mind sank. Even so, but it does not mean give up, if any.
Starting from the top to now also be collecting the most of information, then organize these information is necessary, so it looks clear a little as there are omissions. In General I collected in the end of the beam will then engage in a like the following of the same form:
host :www.semxa.com
port server:21ftp, the 22SSH, the 23telnet, the 25SMTP, the 117UUCP…

ftp server open os Digital UNX Version
bugs log:

So down can readily find the information. Very convenient.
The top of the description is generally normalattackthe manual is simple to collect and access the target host of information of an idea, the reason why the manifestation of SATAN in the very great length to say it, it’s because with the SATAN in itself is very relevant. All the information collected manually up need a long time also is a huge project. Might take you four to five hours to do it. And these working into SATAN to do it, just in a few minutes.
Into, but also to those who have been implantedcode.vulnerability attackto try. If the above-mentioned information are available to SATAN to complete the words, then it can be concluded that using SATAN to scan the network would be a very dangerous operation, this risk is relative to malicious destruction.
SATAN in the scan a lot of importance to the target system in a variety of TCP and UDP port on the active process. But these in turn depend on the user to specify the scan type. In SATAN, it is of the type according to the network status, the presence of the three scanning level, which are: low-grade(mild), normal standard and grievous(severe)scan it. While the three types of degree and specific performance:

low-grade(mild)scanning:
This state of the scan from DNS, rpc, portmap.
DNS scanning when using the nslookup Unix on an interactive query Internet host, the server name of the command procedure to gather information about the target host of more information, these information include the target host’s MX record and the authorized nameserver of the.
the rpc scan the target host portmap request aservicelist, then the list is scanned to check:
bootparam, and ypbind, selection-SVCnfs, the rexd, arm, mountd and rusersd, a
netinfobind and admind on.
If portmapserviceappear in the list with mountd, then SATAN will be showmount scan first asks the target mountd to a list, the list shows which file system output and which hosts are allowed to load them. Finally asks the target mountd to list the actual loading of the file system of the host and is loading the file system. showmount Unix in a message of the query command, it can be given a remote host on the NFS information, such as available$showmount-e 4.4.4.4 on. This scan does not do ordinary TCP and UDP scanning, the scanning range is relatively small.
normal standard scan:
Standard scan contains a mild scan of all content, while an increase of fingerd, various TCPservice, and UDPservicescanning. When scanning will be based on the results and the scan rule library has selected for rusers, which is a Unix on the message of the query command, you can display a on the remote machine login user list, and bootparam and yn for scanning.
finger query without having to say.
SATAN will then for the TCP scan, so as to obtain a target port on the active gopher, http, FTP, telnet, SMTP, NNTP AND UUCP, as well as X, etc. services. Furthermore, is the UDP port on the DNS and Xdmcp scan. If the query portmap report back the target rusersd is available, then SATAN will request rusersd given what are the users, they are from which System log entry, and so on.
the rpc bootparamservicecan let SATAN get the NIS domain name, if SATAN once to get the domain names words, SATAN will begin to start one up-chk program to try from the NIS server to get the passwd, and byanme mapping.
Reality of SATAN the standard scan is more commonly used. Because a lot of machine to here it has been able to reach managing its purpose.

serious(severe)scanning:
This scan contains the above two kinds of all of the content. The increase for those more activeservicesome more scans. TCP port from 1 to 6 5 5 3 5 but the default time is 1 to 9 9 9 9, the UDP port is from 1 to 2 0 5 0 and 3 2 7 6 7 3 3 5 0 0 the. Obviously, this takes time and many resources.

The above three scans are actually just SATAN scan of the front stage, primarily in order to collect the target machine information.
In SATAN’s rule scan contains some common securityvulnerabilitythe check. But it does not contain all of the knownvulnerability, which takes you from the increase. Regularly update their SATANvulnerabilityset of libraries for the discovery of newvulnerabilityis very important. By creating a new one. satan and put it into the bin/directory can be completed to add a new scan.
The establishment of SATAN is also very simple, but very troublesome. In SATANthe softwarepackage contains a lot of HTML to construct up the Web page, these Web pages are very important, because manyvulnerabilitiesthe information from these pages. The above simply says something about the establishment of SATAN’s way. 在 config/ 目录 下 编辑 paths.pl and paths. sh files, you do need to file placement; the next can according to your own requirements go to edit the config/satan. cf, can according to own need to consider giving$only-attack-these and $dont-attack-these increase the number of
Simple and practical content, these two variables provide a SATAN scan the host when the control; run rcsonfig script, it should be noted that this script is Perl5. 00x and a Web browser to enhance the script, if rcsonfig select the Web does not fit, then edit the config/paths. pl point to the choice of the browser, then the Web browser variable is$MOSAIC; and at the satan-1.1.1/directory and execute make command; if you want to hide yourself or are in need of a proxy because this time will prompt to you in the SATAN of the document in the special description does not need to set the proxy environment variable or browser proxy; to root login to run the SATAN script, if not given command line arguments, the script invokes a small Web server, 也就是html.pl again with the dialogue… Everything is in order after SATAN’s main interface will appear.
Since the SATAN the operation is very simple, on how to use it to describe may be a bit prosiness of. The:-)first start of SATAN, no doubt, start it requires#it. administrators in the use of SATAN’s climate it is best to configure it to reject the local outside IP to run SATAN, but it’s also not completely be prevented. Because under normal circumstances the use of IP spoofing can bypass this link. Then the configuration management option on thewww.semxa.comthis single target to be scanned must be the proximity of the maximum set to 0 and close the subnet extension or premature edit the config/satan. cf, according to the needs of re-use$only-attack-these variables will scan the limits on the single top. Then select"Change the C ~ nfiguration File"item to save changes. Very often the limit to relax to an entire segment of the effect will be better, but it depends on whether you have the time and energy.
Finally, in the"Target Selection"in the implantation of the destination address, and then select scan degree to start the scan over. Later need to do is wait for the results. When the SATAN of the sub-line prompt has been completed, it can be in the SATAN of the Data Gather Of the Screen is selected
"View primary target results"to browse through the results. Can also be in the SATAN of the subdirectory results/s-ata-data view.
Information and weaknesses of the collection end then can do it only voids the analysis of those results. This is the job nerve-racking, of course, just in my case.: -\ Forwww.semxa.com, now has collected a lot of information in my form,“condemnation”is currently the thing to do. In SATAN collection to the target machine’s OS timeI pumped up the spare time towww.netsafety.comto collect information on the OS all thevulnerabilityinformation, and with it I can be in SATAN’s report identified which can be used which the abandoned. So often pay attention to the latest security weaknesses reporting is very important. But at the moment it should be done or needs to first be able to login the system user and its password.
For the anonymous can enter the system, this is undoubtedly a good sign. Although anonymous FTP is not in itself avulnerability, but it can make theattackthe user can obtain the system information and much more includes inside the SATAN can not go beyond thevulnerability, or even because the administrator of the low-level configuration and get/etc/passwd file.
Currently on the Internet, providing anonymousservicethe system is still very much. We take the time to explore these. if you have time. But anonymous FTP in the future I think it will not be long-term right, after all it is a potential security risk.
From on Unix to set up anonymous FTPservicepath:
$mkdir/home/ftp
$cd /home/ftp
$mkdir bin
$mkdir etc
$mkdir pub
$mkdir lib
$cp /bin/ls /home/ftpbin
$chmod 1 1 1 /home/ftp/bin/ls
Then you need to create can only be the anonymous FTP user to use the FTP Group, this group no other members of the group, give this newly created group can use the item is added to the/etc/group file, and then create a separate
$mkdir /home/ftp/etc/group
FTP::50
Building the anonymous FTP user name, the method is to put the user’s entry in/etc/passwd, and create a/home/ftp/etc/passwd file, of course it can contain only the FTP entry. Content performance:
FTP:*:2 3:3 2::no shell
Then you need to do is put this item is set to read-only 4 4 4: The
$chmod 4 4 4/home/ftp/etc/passwd
$chmod 4 4 4/home/ftp/etc/group
Above this is a General Unix on anonymous FTP configuration. From the above no shell is not difficult to see the anonymous FTP user login is not available through the shell of the system operation. If you say now can through the shell to theoperating systemsor the anonymous FTP user has a legitimate shell, then the administrator must be a Zanily Gink is.
And the so-called anonymous user gets the/etc/passwd that belongs to the Administrators configured on the lower error. Anonymous FTP/home/ftp/etc directory contains a passwd and group file, this file allows anonymous users to use the ls to display their name, but not the UID. As for passwd filepassworddomain is unavailable. But if the administrator accidentally put the/etc/passwd and/etc/group File copy to/home/ftp/etc directory, thenattackon the titter. There’s the danger that telnet to ftp 2 1 if allowed to perform the SITE CHMOD and
SITE EXEC,/home is owned by the anonymous FTP user, then just may be the permissions set to 7 7 7 or more to be modified, and so on and so on. Can semxa but there is no anonymous FTPservice, so the above is just my thought before saying. haha…:- x

SATAN is concerned. www.semxa.comthe actualvulnerabilityis not a lot, but there is a absolute able level. vulnerability–mount of thevulnerability. This is a very oldvulnerability, and reportedly can be extended to the VAX’s, Sun’s description is“if two successive mount-d-s command in a few seconds to send to the machine, then the request is implemented…”it. While the buffer overflow, has always been a concern. To a buffer overflow is a type of securityvulnerabilityis the most common. But to take advantage of a buffer overflowexploitthen you’ll have to familiar with Assembly language, c and Unix, Windows and even Linux and more systems. Otherwise you can only look at others to imitate, which is very unnatural also very inconvenient. Of course, the most important thing you need to know that overflow what is buffer. Mixter95 year once wrote an article primary on buffer overflow the use of Article Writing buffer overflow exploits - a tutorial for beginners, I in here is purely from a“widely advertised”. Look at this article you may be tohttp://semxa.kstar.com/HANLU/buffer95.txtto see all of them.

I advocate taking the results of the Scan to build into the form of a table, is because it can make you better withvulnerabilityto match, it is very worth it. Familiar with English users in the establishment of a form can go to BUGTRAQ, find, the most important where you can even match theattackcode. And a bored English user, you can gowww.105.com.cn, this is a very valuable site, can be found here 9 7 so far in the various system securityvulnerability, of course most is with thecode.

How to take advantage of the collection to thevulnerability attackis temporarily not in this article discussed problems. In fact discussion onexploitif the use has been very attention, many of my friends are so thought. I think this is something, just think of a realarton success behind mostly has tough and not give up, courage to pursue the dedication of efforts and to never fall from the sky or from birth to bring out of the“Born genius”. If a potentialvulnerabilitycan give you get is one of the highest privileges, then there is no anyvulnerabilitiescase? When we in try to Modem dial-upinvasionand even then the esoteric point of time, Americans are ongoing with DCC attack, could not help but find the world so large, we are too superficial…

JSON