Scanners and Sniffers

Crackers sometimes engage in information-gathering expeditions. These activities aren't designed to break into a computer by themselves; instead, they're intended to gather information that facilitates future break-in attempts. Common activities along these lines include:

System Scans A system scan is designed to test a specific system's vulnerabilities. A simple scan checks for open ports—numbered access points used by network clients and servers. Most servers have assigned standard ports, as defined in /etc/services. For instance, web servers usually run on port 80. If a system probe detects that port 80 is open, the cracker infers that the computer is running a web server and may be vulnerable to any number of attacks associated with web servers. More detailed system scans may attempt to determine which web server is running, and hence what attacks might succeed. Other types of system scans may attempt to identify which OS the server is running, and hence identify any vulnerabilities unique to a specific OS.

Network Scans Network scans are much like system scans, but they're directed against an entire network. For instance, a cracker might know of a newly discovered vulnerability in the Apache web server. The cracker will, therefore, launch a network scan designed to find systems running the vulnerable version of Apache. These scans will target hundreds of computers in a short period of time, but they'll look only for the vulnerable software; these scans may miss other vulnerable programs.

Network Sniffing Network sniffing requires physical access to a network, either via a compromised computer on the network or by the cracker installing a new device on the network. A network sniffer monitors network activity and logs interesting data, such as unencrypted passwords. If an Ethernet network uses hubs or coaxial cabling, sniffers can monitor all the activity on the network. If the network uses switches, though, sniffers can normally only detect packets directed to or sent from the system that runs the sniffer, along with a handful of broadcasts—packets deliberately sent to all the computers on the network.

Scanning and sniffing are accomplished by way of programs, known generically as scanners and sniffers. These programs are handy tools for crackers, but they also have legitimate uses. For instance, you might use a scanner to check your systems for the presence of servers they shouldn't be running, as described in the upcoming section, "Using Remote Network Scanners." Network sniffers, such as tcpdump ( and Snort (, are useful for diagnosing network problems. You can monitor network traffic on a packet-by-packet basis, and if you understand the low-level protocols, such monitoring enables you to determine why particular problems might be occurring. Some sniffers, including Snort, can also be configured to alert you whenever suspicious network activity occurs.

Worms and viruses frequently engage in network and system scans in an automated way. Unlike many other network scans, these scans are part of an automated attack; if a worm discovers a vulnerability, it attacks immediately. To date, most network worms and viruses attack Windows systems, not Linux systems; but this could change in the future.

0 0

Post a comment