new tools: linux pid exhaustion scanner, tcp/ip handshake scanner

From: Eli Fulkerson (elifulkerson@gmail.com)
Date: Fri Jan 13 2006 - 11:25:52 EST


Hi, list. I have two new security scanning tools, the first of which
I would qualify as alpha-experimental and the second as beta-but-stable.
Will be happy to receive any feedback or advice.

-------------

New Tool: Decloak

Decloak is a "pID exhaustion" scanner for Linux. Tt finds hidden
processes by mapping out the available pID space and noting the gaps
that it was unable to fill. After a gap is discovered, it calls
getpriority, getsid, getpgid and checks the contents of
/proc/(pid)/cmdline to identify the process and displays the results.

How does pID exhaustion work?

This works by exploiting the sequential nature in which Linux assigns
new pIDs to forked processes. Essentially this tool functions thusly:

(main loop for each pid in the pid space)
    (fork)
        (child)
        exits immediately
        (parent)
            compares pid of the (child) to the pid of the child from
                  the previous loop

            (if child_pid > old_child_pid + 1)
                print Found one! (child_pid)

In theory, a malevolent process would need to either subvert fork()..
by rewriting the entire kernel to allow duplicate pIDs... or have a
process that hops around from pID to pID to avoid this scan.

In practice however, this tool generates a lot of false positives.
I've seen them in particular with mySQL and Xrealvnc. I have a feeling
that they have something to do with the Linux threading model... maybe
zombie threads from a former process that haven't returned their pIDs to
the kernel. If anyone has any ideas on that, I would like to hear from
you.

This utility has only been tested under Linux, but will most likely work
on any Unix system with sequential pID numbering.

This tool and source (GPL) are available at this url:

http://www.elifulkerson.com/projects/decloak.php

-------------

Also, while I am talking about negative-space system scanners, I have
a second tool that I wrote some time back, but never sent to lists:

New Tool: Hardscan

Hardscan is a tool that checks for hidden tcp/ip connections via
brute-forcing a handshake on every port. If the port is already in use
for traffic in either direction, the handshake will fail. The utility
will attempt to use SO_REUSE on the socket if it fails the first time,
and will report this as well.

Executive summary pseudocode:

(main loop for each port in the port space)
    a key is determined
    (server thread)
        opens a listening port, waits for the key to be delivered
    (client thread)
        opens a connection to the server thread and delivers the key

This tool is written in Python, and has been tested on both Linux and
Win32.

Source (GPL) available at:

http://www.elifulkerson.com/projects/hardscan.php

------------------------------------------------------------------------------
Audit your website security with Acunetix Web Vulnerability Scanner:

Hackers are concentrating their efforts on attacking applications on your
website. Up to 75% of cyber attacks are launched on shopping carts, forms,
login pages, dynamic content etc. Firewalls, SSL and locked-down servers are
futile against web application hacking. Check your website for vulnerabilities
to SQL injection, Cross site scripting and other web attacks before hackers do!
Download Trial at:

http://www.securityfocus.com/sponsor/pen-test_050831
-------------------------------------------------------------------------------



This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:55:22 EDT