Local Area Networks (LANs) in Aircraft - FTP Directory Listing - FAA
Local Area Networks (LANs) in Aircraft - FTP Directory Listing - FAA
Local Area Networks (LANs) in Aircraft - FTP Directory Listing - FAA
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
permits one to <strong>in</strong>struct an <strong>FTP</strong> service on another mach<strong>in</strong>e to send files to an <strong>FTP</strong> service on a<br />
third mach<strong>in</strong>e, thereby cloak<strong>in</strong>g the command orig<strong>in</strong>—a very useful tool for attackers to hide the<br />
orig<strong>in</strong> of attacks.<br />
A.1.4 OPERATING SYSTEM DETECTION.<br />
A second objective of port scann<strong>in</strong>g is to determ<strong>in</strong>e the OS of that mach<strong>in</strong>e. Know<strong>in</strong>g the target<br />
mach<strong>in</strong>e’s OS is <strong>in</strong>valuable <strong>in</strong> the vulnerability-mapp<strong>in</strong>g phase that immediately precedes<br />
launch<strong>in</strong>g exploits to attempt to actually take over the remote mach<strong>in</strong>e (see discussion about the<br />
crack<strong>in</strong>g devices <strong>in</strong> section A.2). The OS identity can be learned from mechanisms such as<br />
banner grabb<strong>in</strong>g; 10 however, the most useful approaches use stack f<strong>in</strong>gerpr<strong>in</strong>t<strong>in</strong>g.<br />
Tools such as nmap, cheops, tk<strong>in</strong>ed, and queso are commonly used to do stack f<strong>in</strong>gerpr<strong>in</strong>t<strong>in</strong>g to<br />
quickly ascerta<strong>in</strong> what the target mach<strong>in</strong>e’s OS is, <strong>in</strong>clud<strong>in</strong>g the actual version of the OS<br />
implementation, with a high degree of probability. These tools leverage techniques such as the<br />
FIN probe (see RFC 793), the Bogus Flag probe, <strong>in</strong>itial sequence number sampl<strong>in</strong>g, don’tfragment-bit<br />
monitor<strong>in</strong>g, TCP <strong>in</strong>itial w<strong>in</strong>dow size, ACK value, ICMP error message quench<strong>in</strong>g<br />
(see RFC 1812), ICMP message quot<strong>in</strong>g, ICMP error message echo<strong>in</strong>g <strong>in</strong>tegrity, type of service<br />
for “ICMP port unreachable” messages, fragmentation handl<strong>in</strong>g, and other TCP options (see<br />
RFC 1323) to make their calculations. Specifically, the RFCs that def<strong>in</strong>e TCP specify how a<br />
system should respond dur<strong>in</strong>g connection <strong>in</strong>itiation. However, they do not def<strong>in</strong>e how the<br />
system should respond to the various illegal comb<strong>in</strong>ations of TCP code bits. Rather, each<br />
implementation responds somewhat differently to the same set of illegal flags or f<strong>in</strong>ite state<br />
mach<strong>in</strong>e protocol violations. These differences provide a basis for these hacker tools to<br />
determ<strong>in</strong>e, with a high degree of probability, exactly what OS they are remotely access<strong>in</strong>g.<br />
A.1.5 ENUMERATION.<br />
Once the attacker has identified the OS of the target mach<strong>in</strong>e to crack, the attacker will want to<br />
learn the valid accounts or exported resource names of that system. This process is known as<br />
enumeration. The tools and approaches for accomplish<strong>in</strong>g enumeration are largely a function of<br />
the target OS to be cracked. The default configuration of Microsoft W<strong>in</strong>dows mach<strong>in</strong>es is<br />
particularly vulnerable for enumeration, though other mach<strong>in</strong>es are also vulnerable.<br />
For example, with<strong>in</strong> Unix devices, the Sun ONC services (e.g., Sun remote procedure call<br />
(RPC), network <strong>in</strong>formation system, and network file system (NFS)) are particularly vulnerable<br />
to enumeration. The f<strong>in</strong>ger utility is perhaps the oldest way to do enumeration on Unix systems.<br />
Similarly, r- commands such as rusers and rwho also provide enumeration services.<br />
Enumeration can also occur via SMTP. The SMTP VRFY command confirms the names of<br />
valid users and the EXPN command reveals the actual delivery addresses of aliases and mail<strong>in</strong>g<br />
lists.<br />
10 Services such as <strong>FTP</strong>, Telnet, SMTP, HTTP, POP3, IMAP4, and others frequently identify the operat<strong>in</strong>g system<br />
of their host<strong>in</strong>g mach<strong>in</strong>e. This identification is then leveraged by the attacker to focus the attack upon known<br />
weaknesses of that OS, often by us<strong>in</strong>g automated attack mechanisms.<br />
A-5