~ Essays ~
|
|
|
|
essays |
(Courtesy of fravia's advanced searching
lores)
(�`�.� a php network security scanner �.���)
by Devergranne
published at fravia's searchlores in
May 2000
Included at the bottom: [DQ open comments to Devergranne]
This essay has been TAKEN DOWN
on Devergranne's request
in September 2002
You'll anyway be able to find it elsewhere trough
the usual public '[time
machines]'.
DQ's comments to Devergranne's essay
Devergranne, I had a look at your essay "a php network security scanner" and
like to make some comments. You can hit me afterwards ;-)
Let's first start with
cgi-scan.php3. That's a nice CGI scanner, but I would strongly advise anyone against
using it!
Is that code copyrighted by yourself? Are you the author or did you just do
a rewrite, taking sources out of the web and translating them into PHP? There's something
called CGIcheck99, which is coded in
REBOL and written by deepquest.
Anyway, before running that CGI scanner, please have
a look at the excellent specifications for Whisker
, done by rain forest puppy.
As a general
advice to those who just want to start with this stuff: Please be aware of the inner
workings of the servers you want to attack. Study them, learn the configuration options,
know about booby-traps, and please stop scanning for the phf
vulnerability!
Now regarding scan.php3. Please resolve the host name to an IP
before starting your loop through your XXXX ports, that way you contribute to reduce
internet pollution. Relevant functions are:
string gethostbyname(string
hostname);
array gethostbynamel(string hostname);
Second point: Do you really want
to scan all those ports? What are you going to do once you found an open port? Why don't you
just create an array with those ports you really care about?
For example, if you want to
scan for available services, include 21, 23, 25, 80, 110, etc.
If you want to check for
proxy access, include 80, 81, 3128, 8080, 8081, etc.
If you want to check for SubSeven
and other backdoors, include only those relevant ports.
Just scanning from
zero to who knows what glorious 5 digit number just wastes your patience, increases your
phone bill and does nothing useful.
A quick patch would be to reduce the default
timeout of ten seconds to 3 in the fsockopen() line as follows:
$fp = fsockopen("$host",
$port, &$errno, &$errstr, 3);
Nevertheless, you have a point when demonstrating this
new security problem. Perhaps this activates the awareness of people regarding PHP.
DQ, May 2000
(c) 2000: [fravia+], all
rights
reserved