No subject


Thu Nov 23 16:34:03 EST 2017


last fall i modified niels provos' scanssh tool [1] to also connect to
ports 23/tcp and 513/tcp (telnet and rsh, respectively) on the target
hosts. i then used this modified scanssh and scanned a subnet i had access
to (a /16) and generated some results which i shared with the network
administrators.
(end quote)
--
Attack Scenarios:
Often used to find installs of OpenSSH pre-3.4, which are subject to gobbles
ssh exploit (bugtraq id 5093, snort sid 1810, 1811)
--
Ease of Attack:
Trivial
--
False Positives:
Unlikely
--
False Negatives:
The scanner is open-source.  It would be trivial to change the version
string in the code, bypassing this signature.
--
Corrective Action:
none
--
Contributors:
Steve Halligan
--
Additional References:

http://lists.jammed.com/incidents/2002/01/0174.html
http://lists.insecure.org/incidents/2001/Dec/0241.html
http://online.securityfocus.com/archive/75/281356/2002-07-07/2002-07-13/0




More information about the Snort-sigs mailing list