5.5 auth

The Unix auth service (known internally as identd) listens on TCP port 113. The primary purpose of auth is to provide a degree of authentication through mapping local usernames to TCP network ports in use. IRC is a good example of this: when a user connects to an IRC server, an auth request is sent to TCP port 113 of the host to retrieve the user's current login name.

The identd service can be queried in line with RFC 1413 to match open TCP ports on the target host with local usernames. The information gathered has two different uses to an attacker: to derive the owners of processes with open ports and to enumerate valid username details.

nmap has the capability to cross reference open ports with the identd service running on TCP port 113. Example 5-12 shows such an identd scan being run to identify a handful of user accounts.

Example 5-12. Finding service ownership details through identd

# nmap -I -sT 192.168.0.10 Starting nmap V. 3.00 ( www.insecure.org/nmap/ ) Interesting ports on dockmaster (192.168.0.10): (The 1595 ports scanned but not shown below are in state: closed) Port       State       Service                 Owner 22/tcp     open        ssh                     root 25/tcp     open        smtp                    root 80/tcp     open        http                    nobody 110/tcp    open        pop-3                   root 113/tcp    open        auth                    ident 5050/tcp   open        unknown                 thomas 8080/tcp   open        http-proxy              nobody

5.5.1 auth Process Manipulation Vulnerabilities

The Linux jidentd and cidentd packages contain various buffer-overflow vulnerabilities. I highly recommend that you research servers that have identd running, including enumeration of the operating platform, to ascertain the probable type of identd service running. You can query the CVE list at http://cve.mitre.org to keep up to date with vulnerable packages.