
Brute Force
The Brute Force scan tries to find open default accounts by using guessable
password pairs. If the scanner finds an open default account, it is important to
properly correct the vulnerability. An example default is sync, a common
account name for SunOS and other UNIX flavors. Typically, this access will reveal
only additional information about the type and version number of the OS system and
will display the Message of the Day (MOTD). By itself, this is normally not a
severe risk. However, certain FTP packages can allow a user to login as sync
and steal the password file.
Other software packages may not do a proper check for account access, opening
up security vulnerabilities with non-password-protected accounts such as sync.
The sync account with no password can become a security vulnerability: Someone
with a regular account on that host can divert the sync account (on systems
with runtime linked libraries). The saboteur changes the LD_LIBRARY_PATH variable
to a library of his own devising, and runs login or su to gain another user's
privileges, and to ultimately becomes root.
All accounts, including the sync account, should have non-trivial passwords.
If login access to these accounts is not needed, it should be removed or
disabled by placing * (an asterisk) in the password field, and the string /bin/false
in the shell field in /etc/passwd. For example, the /etc/passwd entry for a
disabled guest account should resemble the following:
Risk: High
Note: On some UNIX systems, if there are too many connections within a period of
time, inetd turns off a service (such as Telnet) for a period of time. You can
modify inetd to allow more connections for a period of time. The scanner can
select how many simultaneous connections can happen within a given period to slow
down the brute force attack to an acceptable level for inetd.
Fix: If any of these services are running unnecessarily, you should consider
disabling them. You can also change passwords.
Brute Force Netware FTP
As the scanner tries to brute force the FTP server by trying to log in as
default accounts, Novell Netware's FTP server has a memory leak that will cause the
entire machine to run out of memory.
Fix: Contact Novell for a patch.
Brute Force Cisco
Default accounts allow intruders easy access to remote systems and
administrative command of the device.
Risk: High
Fix: Disable account or change password.
POP3
FTP
Telnet
Rsh
Rexec