How do scanners commonly used by hackers exist?

In the field of Internet security, scanners are one of the common attack tools. Many network intrusions begin with a scan. Scanners are used to identify various security vulnerabilities in the target host, some of which are still present in many systems even though they have been publicized long ago, thus giving an opportunity for external intrusion.

A scanner is a program that automatically detects security weaknesses in a remote or local host. Different scanners check for different security vulnerabilities, but generally it boils down to two types:

Host system scanners; network scanners.

Host system scanners are used to scan to find security vulnerabilities in the local host, which are often incorrectly configured file permissions and default accounts. The most common tool for host system scanners is COPS (Computer Oracle and Password System), which is used to check UNIX systems for common security configuration problems and system flaws. Network scanners are used to find security flaws that can be exploited by remote attackers by checking available port numbers and services.SATAN (System Administrator's Tool for Analyzing Networks) is a well-known network scanner that can be used to find vulnerabilities in the following areas:

File Transfer Protocol Vulnerabilities; Network File System Vulnerabilities; Network Information Service Password Vulnerabilities; Remote Shell Access Vulnerabilities; Sendmail Vulnerabilities Vulnerabilities; Common File Transfer Protocol Vulnerabilities; and X Server Security and Access Controls.

In addition, there are famous network scanners such as SAINT, ISS , NESSUS, NMAP and so on. Since there are new vulnerabilities in the network system, the scanner has to constantly update the check vulnerability library or check program.

Working Principle

Although host system scanners and network scanners are not identical from a technical point of view, they have **** the same characteristics. One of these is the scanner's detection mechanism. Most scanners work according to the workflow shown above.

Taking a network scanner as an example, we analyze how the scanner works. Network scanners are designed to collect a lot of useful information about the target host (e.g., whether the FTP service can be accessed with an anonymous login, whether there is a writable FTP directory, whether Telnet is available, and whether HTTPD is running with Root or a regular user) by connecting to the services of different ports of the remote TCP/IP and logging the answers given by the target.

When the target host is running a Unix operating system, it usually provides more services. It is possible to scan through the ports of that host to detect what services it offers. For example, scanning host 192.168.0.68 for ports between 10 and 100 results in the following:

$portscan 192.168.0.68 10 100

192.168.0.68 21 accepted

192.168.0.68 23 accepted

192.168.0.68 25 accepted

192.168.0.68 80 accepted

It can be seen that host 192.168.0.68 provides service on ports 21, 23, 25 and 80. For ports below 1024, the port number corresponds to the service in a fixed way. For example:

21 corresponds to the FTP service

23 corresponds to the telnet service

25 corresponds to the mail service

80 corresponds to the Web service

On Unix systems there are also tools that can scan for certain specific services, which are used to see if a particular service process is running on a remote host. Examples include rusers and finger, both of which are Unix commands. With these two commands, you can gather messages about users on the target computer. Using the rusers command produces the following schematic results:

wh yjb.dcs:ttyp1 Nov 13 15:42 7:30 (remote)

root yjb.dcs:ttyp2 Nov 13 14:57 7:21 (remote)

Shows the user who logged on remotely by the username, and also includes information such as the last login time, the type of shell used, and so on. Using finger produces a result similar to the following:

user S00 PPP ppp-122-pm1.wiza Thu Nov 14 21:29:30 - still logged in

user S15 PPP ppp-119-pm1.wiza Thu Nov 14 22:16: 35 - still logged in

user S15 PPP ppp-119-pm1.wiza Thu Nov 14 22:16: 35 - still logged in

user S04 PPP ppp-121-pm1.wiza Fri Nov 15 00:03:22 - still logged in

user S03 PPP ppp-112-pm1.wiza Thu Nov 14 22:20:23 - still logged in

This command displays the status of the user. This command is built on top of the client/service model. The user requests information from the server via client software, which is then interpreted and made available to the user. A fingerd program needs to be running on the server that, depending on the configuration of the server, can provide certain information to the client. It is possible that many servers do not provide this service or provide only irrelevant information if the protection of this personal information is a concern.

For a full-featured scanner, it would be able to detect various system vulnerabilities and bugs in the operating system and service programs. To do this, you need to check various system configuration files, such as

/etc/passwd password file

/etc/hosts host list file

/etc/networks network list file

/etc/protocols protocol list file

/etc/services Service list file

/etc/hosts.equiv Host trust list file

More mature scanners, such as SATAN, Nessus, ISS, etc., are able to meticulously examine these profiles and give full reports and recommendations.