7.1 Remote Maintenance Services

Services used by network administrators to directly manage remote hosts over TCP/IP (e.g., SSH, Telnet, VNC, and others) are threatened by three categories of attack:

• Information leak attacks, from which user and system details are extracted

• Process manipulation attacks (buffer overflows, format string bugs, etc.)

• Brute-force guessing of user passwords to gain direct system access

An online bank may be running the Telnet service on its Internet routers for administrative purposes. This service may not be vulnerable to information leak or process-manipulation attacks, but a determined attacker can launch a brute-force attack against the service to gain access. Brute force is an increasingly popular attack vector for attackers attempting to break moderately secure networks.

I have derived this list of common remote maintenance services from the /etc/services file:

ssh             22/tcp

telnet          23/tcp

exec            512/tcp

login           513/tcp

shell           514/tcp

x11             6000/tcp

citrix-ica      1494/tcp

ms-rdp          3389/tcp

vnc-http        5800/tcp

vnc             5900/tcp

Windows services such as NetBIOS and CIFS can also be used for remote-maintenance purposes (scheduling commands, file access etc.). Due to the complexity of the Windows networking model, these services are fully discussed in Chapter 9.