I wrote the following small program which you might find helpful if
you are worried about users running their own servers (which may be
insecure) - such as WKSes, perl scripts, tinyMUDs, and home grown
servers - possibly circumventing router filters which have been
set up for security.
I kept forgetting what TCP ports people were running various nifty
servers on remote hosts where I had not login access (so I couldn't
run 'cat' or 'ypcat' on a services file nor run 'netstat -a' on the
remote host.
This program will report on what TCP ports on the remote hosts have
servers listening for connections. With verbose mode (command
line option '-v') turned on it will list both active and inactive
TCP ports. With 'hack' mode (command line option '-h') it will
invoke a telnet session to the newly discovered port on the remote
host.
For those concerned about insecure services run by users opening
up host security or those who want to tighten up router filter
firewalls you might want to run probe_tcp_ports periodically
from cron or a cron script (As well as other security audit
s/w such as cops and crack!). Here is sample output:
% probe_tcp_ports x
Host x.y.yale.edu, Port 13 ("daytime" service) connection ... open.
Host x.y.yale.edu, Port 21 ("ftp" service) connection ... open.
Host x.y.yale.edu, Port 23 ("telnet" service) connection ... open.
Host x.y.yale.edu, Port 25 ("smtp" service) connection ... open.
Host x.y.yale.edu, Port 37 ("time" service) connection ... open.
Host x.y.yale.edu, Port 43 ("whois" service) connection ... open.
Host x.y.yale.edu, Port 53 ("domain" service) connection ... open.
Host x.y.yale.edu, Port 70 connection ... open.
Host x.y.yale.edu, Port 79 ("finger" service) connection ... open.
Host x.y.yale.edu, Port 109 ("pop" service) connection ... open.
Host x.y.yale.edu, Port 110 ("pop3" service) connection ... open.
Host x.y.yale.edu, Port 111 ("sunrpc" service) connection ... open.
...
Here is the probe_tcp_ports program source :
---------------------------------------------------------------------------
/*
* probe_tcp_ports
*/
#include <sys/types.h>
#include <sys/stat.h>
#include <stdio.h>
#include <ctype.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <netdb.h>
#define RETURN_ERR -1
#define RETURN_FAIL 0
#define RETURN_SUCCESS 1
int Debug;
int Hack;
int Verbose;
main(ArgC, ArgV)
int ArgC;
char **ArgV;
{
int Index;
int SubIndex;
for (Index = 1; (Index < ArgC) && (ArgV[Index][0] == '-'); Index++)
for (SubIndex = 1; ArgV[Index][SubIndex]; SubIndex++)
switch (ArgV[Index][SubIndex])
{
case 'd':
Debug++;
break;
case 'h':
Hack++;
break;
case 'v':
Verbose++;
break;
default:
(void) fprintf(stderr,
"Usage: probe_tcp_ports [-dhv] [hostname [hostname ...] ]\n");
exit(1);
}
for (; Index < ArgC; Index++)
(void) Probe_TCP_Ports(ArgV[Index]);
exit(0);
}
Probe_TCP_Ports(Name)
char *Name;
{
unsigned Port;
char *Host;
struct hostent *HostEntryPointer;
struct sockaddr_in SocketInetAddr;
struct hostent TargetHost;
struct in_addr TargetHostAddr;
char *AddressList[1];
char NameBuffer[128];
extern int inet_addr();
extern char *rindex();
if (Name == NULL)
return (RETURN_FAIL);
Host = Name;
if (Host == NULL)
return (RETURN_FAIL);
HostEntryPointer = gethostbyname(Host);
if (HostEntryPointer == NULL)
{
TargetHostAddr.s_addr = inet_addr(Host);
if (TargetHostAddr.s_addr == -1)
{
(void) printf("unknown host: %s\n", Host);
return (RETURN_FAIL);
}
(void) strcpy(NameBuffer, Host);
TargetHost.h_name = NameBuffer;
TargetHost.h_addr_list = AddressList, TargetHost.h_addr =
(char *) &TargetHostAddr;
TargetHost.h_length = sizeof(struct in_addr);
TargetHost.h_addrtype = AF_INET;
TargetHost.h_aliases = 0;
HostEntryPointer = &TargetHost;
}
SocketInetAddr.sin_family = HostEntryPointer->h_addrtype;
bcopy(HostEntryPointer->h_addr, (char *) &SocketInetAddr.sin_addr,
HostEntryPointer->h_length);
for (Port = 1; Port < 65536; Port++)
(void) Probe_TCP_Port(Port, HostEntryPointer, SocketInetAddr);
return (RETURN_SUCCESS);
}
Probe_TCP_Port(Port, HostEntryPointer, SocketInetAddr)
unsigned Port;
struct hostent *HostEntryPointer;
struct sockaddr_in SocketInetAddr;
{
char Buffer[BUFSIZ];
int SocketDescriptor;
struct servent *ServiceEntryPointer;
SocketInetAddr.sin_port = Port;
SocketDescriptor = socket(AF_INET, SOCK_STREAM, 6);
if (SocketDescriptor < 0)
{
perror("socket");
return (RETURN_ERR);
}
if (Verbose)
{
(void) printf("Host %s, Port %d ", HostEntryPointer->h_name,
Port);
if ((ServiceEntryPointer = getservbyport(Port, "tcp")) !=
(struct servent *) NULL)
(void) printf(" (\"%s\" service) ",
ServiceEntryPointer->s_name);
(void) printf("connection ... ");
(void) fflush(stdout);
}
if (connect(SocketDescriptor, (char *) &SocketInetAddr,
sizeof(SocketInetAddr)) < 0)
{
if (Verbose)
(void) printf("NOT open.\n");
if (Debug)
perror("connect");
}
else
{
if (!Verbose)
{
(void) printf("Host %s, Port %d ",
HostEntryPointer->h_name, Port);
if ((ServiceEntryPointer = getservbyport(Port,"tcp")) !=
(struct servent *) NULL)
(void) printf(" (\"%s\" service) ",
ServiceEntryPointer->s_name);
(void) printf("connection ... ");
(void) fflush(stdout);
}
(void) printf("open.\n");
if (Hack)
{
(void) sprintf(Buffer, "/usr/ucb/telnet %s %d",
HostEntryPointer->h_name, Port);
(void) system(Buffer);
}
}
(void) close(SocketDescriptor);
return (RETURN_SUCCESS);
}
----------------------------------------------------------------------------------
_ _ __ _ __
(/_ / (/ \/ \ _ __ __ ____ _ __ (/ _ __ _)
/ / . / )_(_)_/ (_/ (_(_) (_(_( /___(_)_/ )_(_)
( ( ( _)
H. Morrow Long
Manager of Development
Yale Univ. Comp Sci Dept. Computing Facility
Mail Stop 2158, UUCP: yale!Long-Morrow
Yale Station, ARPA: Long-Morrow @
CS .
Yale .
EDU
New Haven, CT 06520-2158 BITNET: Long-Morrow @
YaleCS .
BITNET
(203)-432-{1248,1254} FAX: (203)-432-0593
|
|
