one question i found myself asking last year was "what is the coincidence of ssh with telnet and rsh servers? does this have any effect on the usage of ssh?" windows, for example, has shipped with a telnet client since windows 95, but i dont think they have ever shipped an ssh client (is this still the case? sorry, i haven't looked at windows much since 1998 or so, no need). very few UNIX systems ship with an ssh client, instead having a telnet and an rsh client (and server). how does this affect people who attempt to migrate their userbase to ssh usage if they still have telnet and rsh available? i asked niels this and he didn't have any answer, no one had asked him before (and i dont think anyone has ever asked him since). and no one had any data, as far as i know, on such coincidence of servers. i decided to try and get an answer for myself. last fall i modified niels provos' scanssh tool [1] to also connect to ports 23/tcp and 513/tcp (telnet and rsh, respectively) on the target hosts. i then used this modified scanssh and scanned a subnet i had access to (a /16) and generated some results which i shared with the network administrators. in general, what i found was the following: over 33,000 hosts were attempted, with nearly 8000 responding that day. about 400 (about 5%) were running sshd, over 800 (over 10%) had a telnet server, and less then 300 (about 3%) had rshd running and accessible. only about 1% had all three services available, with the majority (nearly 2%) having telnetd and rshd available together in the absence of sshd. the vast majority of the servers (over 2:1) were OpenSSH, with the protocol identifier of "SSH-1.99" being the most popular (supporting both version 1.5 and 2 of the SSH protocol [2]). clearly this kind of tool could be useful to other network administrators and security personelle. hence, i am making the diffs available, despite being only against version 1.2a of the scanssh tool. the usage is the same, no new options are introduced. instead, the output format changes. it now looks like this: IP, SSH version string, 0|1 for telnetd, 0|1 for rshd a host with all three open, running OpenSSH 2.9p2, would have a result string like this: 192.168.7.8, SSH-1.99-OpenSSH_2.9p2, 1, 1 a host running only telnetd and rsh, but not sshd, would show up as: 192.168.7.9, Connection refused, 1, 1 a few pieces are offered to the community at large: scanssh_h.diff changes the version string to SSH-1.1-SSH_Telnet_RSH_Version_Mapper connecter_c.diff modified to connect and log attempts to 23/tcp and 513/tcp process.awk awk script to parse the output, giving a tabular summary. all of the pieces (and the old scanssh-1.2a source tarball) are available via my new website: http://www.monkey.org/~jose/myscanssh/ here are the checksums: MD5 (scanssh-1.2a.tar.gz) = d28e5271bd71ca3a35b9ea6e20c1a57b MD5 (connecter_c.diff) = 5eaf37dca134154d5d72c0a1d365f6b3 MD5 (scanssh_h.diff) = f3d85621185cd0abd5e7d6de74e514e7 MD5 (process.awk) = 9a26886f9a2fdc1e5fc76f6c2becba08 disclaimer: i wrote this tool with honest intentions, just as niels did with his original scanssh. i offer it to people to audit networks they have the authorization to scan and peer into, and i hope it's used only as such. i only want to assist network and security administrators in their job and hope that they find as much use out of this tool as i have. if this tool is abused i cannot assume any liability for that nor can i bear any of the responsibility, and i encourage you to protect your network against such abuses by others. these pieces are entirely unmaintained at this point, unsupported and offered as is, and comes with no warranty of any kind. they are not provos' work, so dont go bother him if you have problems with it, either. thanks, and i hope that people can make use of this. links: [1] the modifications are against version 1.2a, which is no longer available. a new version is available at the scanssh website: http://www.monkey.org/~provos/scanssh/ [2] http://www.ietf.org/html.charters/secsh-charter.html ___________________________ jose nazario, ph.d. jose@monkey.org http://www.monkey.org/~jose/
EOF