The CERT Coordination Center publishes incident notes to provide
information about incidents to the Internet community.
<h2>"sscan" Scanning Tool</h2>
Thursday, January 28, 1999<p>
Recently a new scanning tool named "sscan" was announced on various
public mailing lists. This tool is a derivative of the "mscan" tool
that was widely used against a large number of sites in the second
half of 1998. For more information about mscan, please read our
earlier Incident Note IN-98.02:
<p>
<dl>
<dd><a href="http://www.cert.org/incident_notes/IN-98.02.html">
http://www.cert.org/incident_notes/IN-98.02.html</a>
</dd></dl>
<p>
The sscan tool performs probes against victim hosts to identify
services which may potentially be vulnerable to exploitation. Though
sscan itself does not attempt to exploit vulnerabilities, it can be
configured to automatically execute scripts of commands that can be
maliciously crafted to exploit vulnerabilities. Thus, it is possible
for an unpredictable set of attacks to be mounted against a victim
site in conjunction with the sscan probes.
<p>
The documentation distributed with sscan includes an example set of
scripted commands illustrating how a self-replicating attack might be
crafted using well known vulnerabilities detected by sscan. We encourage
you to familiarize yourself with the actions sscan performs and to
insure that your site is not vulnerable to attack.
<p>
The current version of sscan has been written specifically to execute
on a UNIX platform. Because the tool crafts packets with custom
attributes, privileged access to the source host is required to run
sscan. We encourage you to be mindful of the potential for intruder
control of the source host when responding to an incident involving
sscan probes.
<p>
To determine whether the sscan tool is possibly being used against
your site, look for the following activity:
<p>
<ol>
<li>Initial probes to selected services to determine the availability
of the target host. TCP ACK packets are sent to the target host
with the source and destination ports set as follows:
<p>
<ul>
<li>source and destination TCP port 23 (telnet)
<li>source and destination TCP port 25 (smtp)
<li>source and destination TCP port 110 (pop3)
<li>source and destination TCP port 143 (imap)
<li>source and destination TCP port 80 (www)
</li></li></li></li></li></ul>
<p>
As currently configured, the sscan tool will not attempt to probe
a host further if no response is received from these initial
probes.
<p>
<li>If any of the above probes receives a response, further probes are made
to the target host in an attempt to identify potential vulnerabilities.
Connection probes to the following TCP ports are user optional and
may or may not appear in additional sscan activity. The TCP ports are
listed in the order in which they currently would be probed by sscan.
<p>
<ul>
<li>80 (www)
<li>23 (telnet), 143 (imap), 110 (pop3) [all three, or none, are probed]
<li>111 (sunrpc)
<li>6000 (x11)
<li>79 (finger)
<li>53 (domain)
<li>31337 (unassigned by IANA)
<li>2766 (Solaris listen/nlps_server)
</li></li></li></li></li></li></li></li></ul>
<p>
Connection probes to the following TCP ports are always attempted
and are not user optional. The TCP ports are listed in the order
in which they are probed by sscan.
<p>
<ul>
<li>139 (netbios-ssn)
<li>25 (smtp)
<li>21 (ftp)
<li>22 (ssh)
<li>1114 (Linux mSQL)
<li>1 (tcpmux)
</li></li></li></li></li></li></ul>
<p>
Ports responding to the probes in this section are considered by
sscan to be "open" ports.
<p>
<li>Two types of probes are made in an attempt to identify the target
host's operating system.<br/>
<p>
<ul>
<li>TCP connection probe to port 23 (telnet) to obtain the login banner
<li>Probes attempting to identify system and network architecture
similar to those discussed in CERT Incident Note IN-98.04:
<p>
<a href="http://www.cert.org/incident_notes/IN-98.04.html">
http://www.cert.org/incident_notes/IN-98.04.html</a>
<p>
In this case, five packets are sent to the target host on the
first TCP port identified as being "open" in the previous
scanning (section 2). The five packets have the following
characteristics:
<p>
<ul>
<li>Packet #1 - SYN ACK packet from source TCP port 1
<li>Packet #2 - FIN packet from source TCP port 2
<li>Packet #3 - FIN ACK packet from source TCP port 3
<li>Packet #4 - SYN FIN packet from source TCP port 4
<li>Packet #5 - PUSH packet from source TCP port 5
</li></li></li></li></li></ul>
<p>
</p></p></p></p></li></li></ul>
<p>
<li>Using information gathered from the probes, sscan attempts to determine
if the target host may potentially have any of the following accessible
information services or known vulnerabilities:
<p>
<ul>
<li>qpopper - see <br/>
<dl>
<dd><a href="http://www.cert.org/advisories/CA-98.08.qpopper_vul.html"> http://www.cert.org/advisories/CA-98.08.qpopper_vul.html</a>
<dd><a href="ftp://ftp.auscert.org.au/pub/auscert/advisory/AA-98.01.qpopper.buffer.overflow.vul">ftp://ftp.auscert.org.au/pub/auscert/advisory/AA-98.01.qpopper.buffer.overflow.vul</a>
</dd></dd></dl>
<li>imapd - see <br/>
<dl>
<dd><a href="http://www.cert.org/advisories/CA-98.09.imapd.html"> http://www.cert.org/advisories/CA-98.09.imapd.html</a>
<dd><a href="http://www.cert.org/advisories/CA-97.09.imap_pop.html">http://www.cert.org/advisories/CA-97.09.imap_pop.html</a>
</dd></dd></dl>
<li>SMTP EXPN command
<li>Solaris listen/nlps_server (port 2766)
<li>Linux mSQL (port 1114)
<li>BIND - see <a href="http://www.cert.org/advisories/CA-98.05.bind_problems.html"> http://www.cert.org/advisories/CA-98.05.bind_problems.html</a>
<li>Various CGI-BIN vulnerabilities - see
<a href="http://www.cert.org/tech_tips/cgi_metacharacters.html">
http://www.cert.org/tech_tips/cgi_metacharacters.html</a>
<ul>
<li>phf - also see <a href="http://www.cert.org/advisories/CA-96.06.cgi_example_code.html">http://www.cert.org/advisories/CA-96.06.cgi_example_code.html</a>
<li>handler - also see <a href="ftp://ftp.cert.org/pub/cert_bulletins/VB-97.07.sgi">ftp://ftp.cert.org/pub/cert_bulletins/VB-97.07.sgi</a>
<li>Count.cgi - also see <a href="http://www.cert.org/advisories/CA-97.24.Count_cgi.html">http://www.cert.org/advisories/CA-97.24.Count_cgi.html</a>
<li>test-cgi - also see <a href="http://www.cert.org/advisories/CA-97.07.nph-test-cgi_script.html">http://www.cert.org/advisories/CA-97.07.nph-test-cgi_script.html</a>
<li>php.cgi - also see <a href="ftp://ftp.auscert.org.au/pub/auscert/ESB/ESB-97.047">ftp://ftp.auscert.org.au/pub/auscert/ESB/ESB-97.047</a>
<li>webgais
<li>websendmail
<li>webdist.cgi - also see <a href="ftp://ftp.cert.org/pub/cert_bulletins/VB-97.07.sgi">ftp://ftp.cert.org/pub/cert_bulletins/VB-97.07.sgi</a>
<li>faxsurvey
<li>htmlscript
<li>pfdisplay.cgi
<li>perl.exe (Windows platforms)
<li>wwwboard.pl (Windows platforms)
</li></li></li></li></li></li></li></li></li></li></li></li></li></ul>
<li>NFS filesystems exported to everyone - see <br/>
<dl>
<dd><a href="http://www.cert.org/advisories/CA-94.15.NFS.Vulnerabilities.html">http://www.cert.org/advisories/CA-94.15.NFS.Vulnerabilities.html</a>
</dd></dl>
<li>mountd - see <a href="http://www.cert.org/advisories/CA-98.12.mountd.html">http://www.cert.org/advisories/CA-98.12.mountd.html</a>
<li>rstatd - see <a href="http://www.cert.org/advisories/CA-97.26.statd.html">http://www.cert.org/advisories/CA-97.26.statd.html</a>
<li>nlockmgr
<li>rpc.nisd - see <a href="http://www.cert.org/advisories/CA-98.06.nisd.html">http://www.cert.org/advisories/CA-98.06.nisd.html</a>
<li>X11 (open X servers)
<li>Wingate - see <a href="http://www.cert.org/vul_notes/VN-98.03.WinGate.html">http://www.cert.org/vul_notes/VN-98.03.WinGate.html</a>
<li>Finger (optional) - The default behavior is to perform finger
on 'root' and 'guest' accounts. Target accounts are
configurable and may differ from the defaults mentioned here.
</li></li></li></li></li></li></li></li></li></li></li></li></li></li></li></ul>
<p>
<li>At this point, there may be additional, unpredictable activity
if sscan is configured to execute user crafted scripts of commands.
</li></p></p></li></p></p></li></p></p></p></p></p></li></p></p></p></li></ol>
<p>
If any machines in your network use any of the above services, we
encourage you to make sure that all patches are up to date and your
machines are properly secured.
<p>
We also urge you to filter all traffic at your firewall except that
which you explicitly decide to allow. Please read our packet filtering
tech tip for more information:
<p>
<dl>
<dd><a href="http://www.cert.org/tech_tips/packet_filtering.html">
http://www.cert.org/tech_tips/packet_filtering.html</a>
</dd></dl>
<p>
Sites using UNIX systems may also wish to consult the following
documents:
<p>
<dl>
<dd><a href="http://www.cert.org/tech_tips/unix_configuration_guidelines.html">
http://www.cert.org/tech_tips/unix_configuration_guidelines.html</a>
<dd><a href="ftp://ftp.auscert.org.au/pub/auscert/papers/unix_security_checklist">ftp://ftp.auscert.org.au/pub/auscert/papers/unix_security_checklist</a>
</dd></dd></dl>
<hr/>
<p>
CERT/CC wishes to thank AusCERT for their assistance in developing this
Incident Note.
<p><!--#include virtual="/include/footer_nocopyright.html" --> </p>
<p>Copyright 1999 Carnegie Mellon University.</p>
</p></p></p></p></p></p></p></p></p></p></p></p></p> |