Chapter 5. Assessing Remote Information Services

Remote information services can collect information for later use (such as username and internal IP address information) and run arbitrary commands on the target server by exploiting process manipulation vulnerabilities. This chapter focuses on the assessment of these services and lists relevant tools and techniques that can test and assure the security of your services.

Remote Information Services

Unix-based systems and various device platforms, such as Cisco IOS, run remote information services that provide system, user, and network details over IP. Such services can be probed to collate username listings and details of trusted networks and hosts, and, in some cases, compromise systems directly.

I derived a basic list of remote information services from the /etc/services file:

systat          11/tcp
netstat         15/tcp
domain          53/tcp
domain          53/udp
finger          79/tcp
auth            113/tcp
snmp            161/udp
ldap            389/tcp
rwho            513/udp
globalcat       3268/tcp

systat and netstat

The systat and netstat services are interesting because current network and system information can be found easily by connecting to the services using telnet. The /etc/inetd.conf file on a system running systat and netstat typically includes the following lines:

systats stream  tcp  nowait  root /usr/bin/ps      ps -ef
netstat stream  tcp  nowait  root /usr/bin/netstat netstat -a

The ps -ef and netstat -a commands are bound to TCP ports 11 and 15, respectively. Example 5-1 shows how to use telnet to connect to the ...

Get Network Security Assessment now with O’Reilly online learning.

O’Reilly members experience live online training, plus books, videos, and digital content from 200+ publishers.