v 18, 96 08:32:12 am Organization: NTUA-NOC, National Technical University of Athens, GREECE X-Disclaimer: My opinions do not necessarily represent those of my employer. X-Work-Phone: +30-1-772-1-861 X-Mailer: ELM [version 2.4 PL25] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-ids Precedence: bulk Reply-To: ids Hi, > 1) Does anyone have any experience using Hobbit's Netcat program > to probe system vulnerabilities? You could write a port scanner like this ksh: #!/bin/ksh [ -z ${3} ] && { echo usage: ncprobe [host] [low port] [high port] exit 1 } i=${2} while [ ${i} -lt ${3} ] do nc -z ${1} ${i} [ $? -eq 0 ] && { echo host ${1} port ${i} open } let i=i+1 done exit 0 #end of script Of course this could be extended to do automated stuff based on which port responds... > 2) Does anyone have a log of such probing that they would care to post > or share? This probe produces the same logs as the probe_tcp_ports.c (run with no arguments) or portscan.c or newping.c. > 3) Is there an intrusion detection system that will explicitly > identify Netcat probes, the same way as Courtney idenfifies Satan? I do not think that it would differ if it is nc or any other C program. socket(1) could be used instead. Netcat is a tool which could be used to do nasty stuff...so does telnet. The question is if we can identify probes in general, and especially those to random ports not protected by wrappers. rgrds, -- Yiorgos Adamopoulos, <Y.Adamopoulos@noc.ntua.gr>