UNIX offers a service called ident or auth which will identify the user of a TCP connection. In the intended operation of this feature, when a user connects to a server, the server sends back a request to the ident service to discover the user's identity.
However, it can also be used in a reverse way. If a server itself also has the ident feature turned on, when a user connects to the server, the user can query the identify of the service it is connecting to.
This helps discover possible accounts that can be broken into.
However, it can also be used in a reverse way. If a server itself also has the ident feature turned on, when a user connects to the server, the user can query the identify of the service it is connecting to.
This helps discover possible accounts that can be broken into.
- technique involves issuing a response to the ident/auth daemon, usually port 113 to query the service for the owner of the running process.
- Finds daemons running as root.
- Intruder finds a vulnerable overflow and instigate other suspicious activities involving this port.
- identd could release miscellaneous private information such as:
* user info
* entities
* objects
* processes
ADVANTAGES : fast, requires no additional priveleges, return vital service information.
DISADVANTAGES : Easily Detectable
DISADVANTAGES : Easily Detectable
any details on this?
ReplyDeletesome examples?
10x.