|
Firewall Wizards
mailing list archives
Re:source port specific port scan (Rich Wilson)
From: "Don Jones" <don.jones () linuxmail org>
Date: Mon, 15 Oct 2001 10:17:15 +1100
Does anyone know of a port scanner that allows you to specify the source port?
I'm trying to test a filter that allows outbound only SMTP. My worry is that
it is not stateful, and that an attacker using a source port of 25 can bypass
the filter.
Try NMap with the -g <portnumber> option.
From the Nmap man page (http://www.insecure.org/nmap/nmap_manpage.html):
-g <portnumber>
Sets the source port number used in scans. Many naive firewall and packet filter installations make an exception in
their ruleset to allow DNS (53) or FTP-DATA (20) packets to come through and establish a connection.Obviously this
completely subverts the security advantages of the firewall since intruders can just masquerade as FTP or DNS by
modifying their source port. Obviously for a UDP scan
you should try 53 first and TCP scans should try 20 before 53. Note that this is only a request -- nmap will honor
it only if and when it is able to. For example, you can't do TCP ISN sampling all from one host:port to one host:port,
so nmap changes the source port even if you used -g.
Be aware that there is a small performance penalty on some scans for using this option, because I
sometimes store useful information in the source port number.
--
Get your free email from www.linuxmail.org
Powered by Outblaze
_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://list.nfr.com/mailman/listinfo/firewall-wizards
 By Date 
By Thread
Current thread:
- Re:source port specific port scan (Rich Wilson) Don Jones (Oct 15)
| 
Intro
