This section covers remote network attacks on Unix systems. Due to the vast range of such attacks, we've correlated the attack data to TCP/UDP port numbers, for your convenience. While legends tell of hackers who penetrate machines with no open ports (such as via a bug in a sniffer or even in a TCP/IP stack itself), the vast majority of network attacks come through a TCP (more often) or UDP (less often) port of a known network service.
We'll briefly describe the security relevance of the ports. If you are reading this book, we assume you already know how to use an advanced port scanner such as Nmap to discover open ports. By sending various packets to open ports, you can tell open (return ACK) ports from closed (return RST) or filtered (return nothing or RST) ports.
We will categorize the attacks on Unix systems into several classes. Our categorization is inspired by the ICAT (http://icat.nist.gov) attack classification.
So, what dangers might lurk on a port?
If an attacker can guess the password and access the service running on this port, the risks are obvious. No authentication also presents a trivial example of weak authentication.
Allows sniffing authentication credentials using tools such as tcpdump. Additionally, TCP session hijacking attacks (taking over a running session) and command injection (where the attacker inserts his own command in the running TCP session, bypassing the authentication stage) are possible. Tools are ...