Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



Firewall Wizards: RE: source port specific port scan

RE: source port specific port scan

From: robert_david_graham <robert_david_graham_at_yahoo.com>
Date: Mon, 15 Oct 2001 12:29:00 -0700

Spoofing of the source port is common in both scanners and exploit scripts.
The two most popular source ports are 53 (dns) and 20 (ftp-data). Tools like
"ADMfzap" and "firewalk" take advantage of this directly, but other scanners
often include configuring the source port as an option. A number of exploits
scripts use these as source ports by default.

The reason, of course, is that a lot of legitimate incoming DNS requests and
responses come from port 53, and a lot of legitimate incoming FTP data
connections come from port 20. If I remember correctly, last year at
BlackHat, some people pointed out that some versions of Checkpoint make it
really easy for admins to make a mistake and trust anything from port 53
(dns).

Actually, I am surprised how little hackers are taking advantage of this.
This is still a wide-open hole throughout the Internet.

As for you case, yes, somebody could spoof an ACK scan from port 25. It's
not a huge hole; I doubt that no one (except the extreme paranoid) would
worry about it, especially since you are blocking incoming SYNs/no-ACK from
port 25 (aren't you?).

> -----Original Message-----
> From: firewall-wizards-admin_at_nfr.com
> [mailto:firewall-wizards-admin_at_nfr.com]On Behalf Of Rich Wilson
> Sent: Friday, October 12, 2001 2:34 PM
> To: firewall-wizards_at_nfr.com
> Subject: [fw-wiz] source port specific port scan
>
>
> Does anyone know of a port scanner that allows you to specify
> the source port?
> I'm trying to test a filter that allows outbound only SMTP.
> My worry is that
> it is not stateful, and that an attacker using a source port
> of 25 can bypass
> the filter.
>
> __________________________________________________
> Do You Yahoo!?
> Make a great connection at Yahoo! Personals.
> http://personals.yahoo.com
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards_at_nfr.com
> http://list.nfr.com/mailman/listinfo/firewall-wizards

_________________________________________________________
Do You Yahoo!?
Get your free @yahoo.com address at http://mail.yahoo.com

_______________________________________________
firewall-wizards mailing list
firewall-wizards_at_nfr.com
http://list.nfr.com/mailman/listinfo/firewall-wizards
Received on Oct 16 2001

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]