Re: Netcat probing, logs and detection
Yiorgos Adamopoulos (Y.Adamopoulos@noc.ntua.gr)
Wed, 20 Nov 1996 19:20:48 +0200 (EET)
v 18, 96 08:32:12 am
Organization: NTUA-NOC, National Technical University of Athens, GREECE
X-Disclaimer: My opinions do not necessarily represent those of my employer.
X-Work-Phone: +30-1-772-1-861
X-Mailer: ELM [version 2.4 PL25]
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Sender: owner-ids
Precedence: bulk
Reply-To: ids
Hi,
> 1) Does anyone have any experience using Hobbit's Netcat program
> to probe system vulnerabilities?
You could write a port scanner like this ksh:
#!/bin/ksh
[ -z ${3} ] && {
echo usage: ncprobe [host] [low port] [high port]
exit 1
}
i=${2}
while [ ${i} -lt ${3} ]
do
nc -z ${1} ${i}
[ $? -eq 0 ] && {
echo host ${1} port ${i} open
}
let i=i+1
done
exit 0
#end of script
Of course this could be extended to do automated stuff based on which port
responds...
> 2) Does anyone have a log of such probing that they would care to post
> or share?
This probe produces the same logs as the probe_tcp_ports.c (run with no
arguments) or portscan.c or newping.c.
> 3) Is there an intrusion detection system that will explicitly
> identify Netcat probes, the same way as Courtney idenfifies Satan?
I do not think that it would differ if it is nc or any other C program.
socket(1) could be used instead. Netcat is a tool which could be used
to do nasty stuff...so does telnet.
The question is if we can identify probes in general, and especially those
to random ports not protected by wrappers.
rgrds,
-- Yiorgos Adamopoulos, <Y.Adamopoulos@noc.ntua.gr>