Chapter 7. Assessing Remote Maintenance Services
This chapter covers the assessment of remote maintenance services that give direct access to servers and devices for administrative purposes. Common remote maintenance services include SSH, Telnet, X Windows, VNC, and Microsoft Terminal Services. Determined attackers concentrate on breaking remote maintenance services to obtain direct access to the target host.
Remote Maintenance Services
Services used by network administrators to directly manage remote hosts over TCP/IP (e.g., SSH, Telnet, VNC, and others) are threatened by three categories of attack:
Information leak attacks, from which user and system details are extracted
Process manipulation attacks (buffer overflows, format string bugs, etc.)
Brute-force guessing of user passwords to gain direct system access
An online bank may be running the Telnet service on its Internet routers for administrative purposes. This service may not be vulnerable to information leak or process-manipulation attacks, but a determined attacker can launch a brute-force attack against the service to gain access. Brute force is an increasingly popular attack vector for attackers attempting to break moderately secure networks.
I have derived this list of common remote maintenance services from the /etc/services file:
ssh 22/tcp telnet 23/tcp exec 512/tcp login 513/tcp shell 514/tcp x11 6000/tcp citrix-ica 1494/tcp ms-rdp 3389/tcp vnc-http 5800/tcp vnc 5900/tcp
Tip
Windows services such as NetBIOS and CIFS can also ...
Get Network Security Assessment now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
