|
Security Basics
mailing list archives
Re: an error in the NMAP docs?
From: Barrie Dempster <barrie () reboot-robot net>
Date: Tue, 05 Apr 2005 14:07:17 +0100
Michael Herz wrote:
Hi all,
Is there an error in the NMAP docs? The --source_port section says:
"Many naive firewall and packet filter installations make an exception in
their rule-set to allow DNS (53) or FTP-DATA (20) packets to come through
and establish a connection. Obviously this completely subverts the security
advantages of the firewall since intruders can just masquerade as FTP or
DNS by modifying their source port."
This implies that the hole in a packet filtered machine exists if it has
allowed inbound DNS or FTP connections. I don't believe this is true. I
think the hole only exists if the machine has allowed outbound (ie client)
connections from the machine. For example if the machine allowed outbound
DNS client requests to the world, using --source_port 53 would exploit the
hole.
The manual is quite correct, if you allow incoming requests from port 53
to any random port internally to *establish a connection*. This
represents a hole. The attacker can target any port he wishes as long as
his source is 53. This is a common firewall misconfiguration.
--
With Regards..
Barrie Dempster (zeedo) - Fortiter et Strenue
blog: http://zeedo.blogspot.com
site: http://www.bsrf.org.uk
CA: www.cacert.org
"He who hingeth aboot, getteth hee-haw" - Victor (Still Game)
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature
 By Date 
By Thread
Current thread:
| 
Intro
