Re: analysis of auditable port scanning techniques

[Dan Harkless <dan-bugtraq@xxxxxxxxxxxxxxxxx>]

Dan Harkless <dan-bugtraq@xxxxxxxxxxxxxxxxx> writes:
> Rainer Weikusat <weikusat@xxxxxxxxxxxxxxxxx> writes:
> > Dan Harkless <dan-bugtraq@xxxxxxxxxxxxxxxxx> writes:
> > > > Using this grammar applied to the data we send to an arbitrary host
> > > > piped to the ident/auth port will reveal the process owner running
> > > > on a given port, even though we initiated the connection.
> > >
> > > Uh, no.  With properly-written ident daemons, such as pidentd,
[...]
> Well, there's a feature request for auth/ident/tap daemons running on OSes
> (if any) that can distinguish after-the-fact between connections that
> originated locally and those that originated remotely.  Assuming that
> doesn't break RFCs 931 / 1413, of course (I'd re-read them right now to
> check, if I had the time)...

Theo de Raadt just informed me via email that OpenBSD fixed their identd to
only report SS_CONNECTOUT sockets in 1996.  He says as far as he knows
theirs is the only identd to implement this, and that he tried to contact
the RFC authors about getting a revision done saying that you should not
respond for non-locally-originating connections, but he either got no reply
or there was disagreement.

----------------------------------------------------------------------
Dan Harkless                   | To prevent SPAM contamination, please
dan-bugtraq@xxxxxxxxxxxxxxxxx  | do not mention this private email
SpeedGate Communications, Inc. | address in Usenet posts.  Thank you.