The Unix auth service (known internally as identd) listens on TCP port 113. The primary purpose of auth is to provide a degree of authentication through mapping local usernames to TCP network ports in use. IRC is a good example of this: when a user connects to an IRC server, an auth request is sent to TCP port 113 of the host to retrieve the user's current login name. The identd service can be queried in line with RFC 1413 to match open TCP ports on the target host with local usernames. The information gathered has two different uses to an attacker: to derive the owners of processes with open ports and to enumerate valid username details. nmap has the capability to cross reference open ports with the identd service running on TCP port 113. Example 5-12 shows such an identd scan being run to identify a handful of user accounts. Example 5-12. Finding service ownership details through identd# nmap -I -sT 192.168.0.10 Starting nmap V. 3.00 ( www.insecure.org/nmap/ ) Interesting ports on dockmaster (192.168.0.10): (The 1595 ports scanned but not shown below are in state: closed) Port State Service Owner 22/tcp open ssh root 25/tcp open smtp root 80/tcp open http nobody 110/tcp open pop-3 root 113/tcp open auth ident 5050/tcp open unknown thomas 8080/tcp open http-proxy nobody 5.5.1 auth Process Manipulation VulnerabilitiesThe Linux jidentd and cidentd packages contain various buffer-overflow vulnerabilities. I highly recommend that you research servers that have identd running, including enumeration of the operating platform, to ascertain the probable type of identd service running. You can query the CVE list at http://cve.mitre.org to keep up to date with vulnerable packages. |