Chapter 8. Assessing Remote Maintenance Services

This chapter covers the assessment of remote maintenance services that provide direct access to servers and devices for administrative purposes. Common remote maintenance services include FTP, SSH, Telnet, X Windows, VNC, Citrix, and Microsoft Terminal Services. Determined attackers often target remote maintenance services, as they provide direct access to the target host.

Remote Maintenance Services

Services used by network administrators to directly manage remote hosts over TCP/IP (e.g., SSH, Telnet, VNC, and others) are threatened by three categories of attack:

  • Information leak attacks, from which user and system details are extracted

  • Brute-force guessing of user passwords to gain direct system access

  • Process manipulation attacks (buffer overflows, format string bugs, etc.)

An online bank may be running the Telnet service on its Internet routers for administrative purposes. This service may not be vulnerable to information leak or process manipulation attacks, but a determined attacker can launch a brute-force attack against the service to gain access. Brute force is an increasingly popular attack vector for attackers attempting to break moderately secure networks.

I have derived this list of common remote maintenance services from the /etc/services file:

ftp             21/tcp
ssh             22/tcp
telnet          23/tcp
exec            512/tcp
login           513/tcp
shell           514/tcp
x11             6000/tcp
citrix-ica      1494/tcp
citrix-ica-brws 1604/udp
ms-rdp          3389/tcp
vnc-http        5800/tcp
vnc             5900/tcp

Get Network Security Assessment, 2nd Edition now with the O’Reilly learning platform.

O’Reilly members experience live online training, plus books, videos, and digital content from nearly 200 publishers.