Chapter 5. Assessing Remote Information Services
Remote information services can collect information for later use (such as username and internal IP address information) and run arbitrary commands on the target server by exploiting process manipulation vulnerabilities. This chapter focuses on the assessment of these services and lists relevant tools and techniques that can test and assure the security of your services.
Remote Information Services
Unix-based systems and various device platforms, such as Cisco IOS, run remote information services that provide system, user, and network details over IP. Such services can be probed to collate username listings and details of trusted networks and hosts, and, in some cases, compromise systems directly.
I derived a basic list of remote information services from the /etc/services file:
systat 11/tcp netstat 15/tcp domain 53/tcp domain 53/udp finger 79/tcp auth 113/tcp snmp 161/udp ldap 389/tcp rwho 513/udp globalcat 3268/tcp
systat and netstat
The systat and netstat services are interesting because current network and system information can be found easily by connecting to the services using telnet. The /etc/inetd.conf file on a system running systat and netstat typically includes the following lines:
systats stream tcp nowait root /usr/bin/ps ps -ef netstat stream tcp nowait root /usr/bin/netstat netstat -a
commands are bound to TCP ports 11 and 15, respectively. Example 5-1 shows how to use
telnet to connect to the ...