sectools email announcement

one question i found myself asking last year was "what is the coincidence
of ssh with telnet and rsh servers? does this have any effect on the usage
of ssh?" windows, for example, has shipped with a telnet client since
windows 95, but i dont think they have ever shipped an ssh client (is this
still the case? sorry, i haven't looked at windows much since 1998 or so,
no need). very few UNIX systems ship with an ssh client, instead having a
telnet and an rsh client (and server). how does this affect people who
attempt to migrate their userbase to ssh usage if they still have telnet
and rsh available?

i asked niels this and he didn't have any answer, no one had asked him
before (and i dont think anyone has ever asked him since). and no one had
any data, as far as i know, on such coincidence of servers. i decided to
try and get an answer for myself.

last fall i modified niels provos' scanssh tool [1] to also connect to
ports 23/tcp and 513/tcp (telnet and rsh, respectively) on the target
hosts. i then used this modified scanssh and scanned a subnet i had access
to (a /16) and generated some results which i shared with the network

in general, what i found was the following:

over 33,000 hosts were attempted, with nearly 8000 responding that day.
about 400 (about 5%) were running sshd, over 800 (over 10%) had a telnet
server, and less then 300 (about 3%) had rshd running and accessible.
only about 1% had all three services available, with the majority
(nearly 2%) having telnetd and rshd available together in the absence of
sshd. the vast majority of the servers (over 2:1) were OpenSSH, with the
protocol identifier of "SSH-1.99" being the most popular (supporting both
version 1.5 and 2 of the SSH protocol [2]).

clearly this kind of tool could be useful to other network administrators
and security personelle. hence, i am making the diffs available, despite
being only against version 1.2a of the scanssh tool. the usage is the
same, no new options are introduced. instead, the output format changes.
it now looks like this:

IP, SSH version string, 0|1 for telnetd, 0|1 for rshd

a host with all three open, running OpenSSH 2.9p2, would have a result
string like this:, SSH-1.99-OpenSSH_2.9p2, 1, 1

a host running only telnetd and rsh, but not sshd, would show up as:, Connection refused, 1, 1

a few pieces are offered to the community at large:

  changes the version string to SSH-1.1-SSH_Telnet_RSH_Version_Mapper

  modified to connect and log attempts to 23/tcp and 513/tcp

  awk script to parse the output, giving a tabular summary.

all of the pieces (and the old scanssh-1.2a source tarball) are available
via my new website:

here are the checksums:

	MD5 (scanssh-1.2a.tar.gz) = d28e5271bd71ca3a35b9ea6e20c1a57b
	MD5 (connecter_c.diff) = 5eaf37dca134154d5d72c0a1d365f6b3
	MD5 (scanssh_h.diff) = f3d85621185cd0abd5e7d6de74e514e7
	MD5 (process.awk) = 9a26886f9a2fdc1e5fc76f6c2becba08


i wrote this tool with honest intentions, just as niels did with his
original scanssh. i offer it to people to audit networks they have the
authorization to scan and peer into, and i hope it's used only as such. i
only want to assist network and security administrators in their job and
hope that they find as much use out of this tool as i have. if this tool
is abused i cannot assume any liability for that nor can i bear any of the
responsibility, and i encourage you to protect your network against such
abuses by others.

these pieces are entirely unmaintained at this point, unsupported and
offered as is, and comes with no warranty of any kind. they are not
provos' work, so dont go bother him if you have problems with it, either.

thanks, and i hope that people can make use of this.

[1] the modifications are against version 1.2a, which is no longer
    available. a new version is available at the scanssh website:


jose nazario, ph.d.