[unisog] Determining local servers and banners

Are Leif Garn}sjordet a.l.garnasjordet at usit.uio.no
Tue Apr 12 12:41:14 GMT 2005

On Fri, 8 Apr 2005, Brian Smith-Sweeney wrote:

> Interesting...how many active hosts are you scanning?  We too have been
> doing some active exploit detection here using nmap+amap, with an eye
> towards keeping that data for comparison later.

We call the script package Scanorama and it is more grown then developed.
At the moment we are cleaning up the code and are planning to release it
on sourceforge with a GPL liscense. But as this was not intended for
release it is not well documented or written. We hope it won't be to
embarrassing when we release it. We hope to release it on sourceforge
sometimes this summer, if you are not afraid of tweaking tings you can get
what we have sooner, email me off list and we will give you a copy. Our
first internal release is probably ready by the end off the month.

Data from last 24 hours:

Total scans:	13690
Full-scan TCP 	595
Light-scan TCP	13683
Full-scan UDP 	303
Light-scanUDP	8327

Light-TCP scan is scan of the 150 most interesting ports, like 137-139,
445, 31337 etc. Light-UDP is some well known UDP ports, used by some P2P
applications, ghostcast server etc. At the moment we run 3 parallel scans
off each type full-TCP/UDP and light-TCP/UDP, but we can probably have
more full-UDP and less light-UDP.

> I asked about number of hosts because I'm working on getting  active
> scans to run A) more accurately, and B) within a reasonable (1 week)
> amount of time.  Would you mind sharing your nmap timing options, and
> what your associated % of host response is?  And I too would be
> interested in seeing your database setup, if it's available.

We ping each host before scanning it, this way we get 100% host response
and nmap timeout values isn't that important. We want cross reference this
data with the router ARP tables to avoid local firewalls but not there

> Even though right now we're only getting data back from2 about 5k of our
> 30k active hosts, the follow-up amap gives us real good data on FTP
> "quiet" backdoors, so I would still recommend it to anyone looking for
> this type of compromise.  Those machines with FTP banners generally
> point us at hosts that could turn into DDoS clients, brute-force
> password attackers, etc. .  I've also noticed a tendency for
> script-kiddie FTP backdoors to have some rudimentary portscan detection,
> so more and more I'm having to nmap from one host and amap from another.

I wouldn't advise you to use only portscans to find compromised hosts, we
find more compromised machines with our honeypot and grep in netflow data.
We use Scanorama more to check compliance (Windows machine in domain, not
running W95 or NT4 etc.).

> We're also keeping track of "common" ports used by ftp backdoors on our
> network and attempting to identify patterns of non-bannered ports on
> those obviously compromised hosts that will help to identify others
> compromised in more subtle ways.  Unfortunately, with the number of
> hosts we've got, real OS/applications fingerprinting seems too slow to
> be useful.

We tried to keep track of the different backdoors, but most local exploits
we find have "customized" the backdoor and is hiding in "legal" port
ranges. Much in the same way they "customize" filenames for known Troyans,
or utilities like netcat.

One side note is, the world is getting worse. A couple of weeks ago we
found our first binary rootkit (hackers defenders) which hides itself from
the OS. They got in through a unpatched apache server running PHP on
someones desktop.


More information about the unisog mailing list