Firewall Wizards: RE: source port specific port scan

Nmap Security Scanner

Intro

Ref Guide

Install Guide

Download

Changelog

Book

Docs
Security Lists

Bugtraq

Basics

More
Security Tools

More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

Firewall Wizards mailing list archives

RE: source port specific port scan

From: "robert_david_graham" <robert_david_graham () yahoo com>
Date: Mon, 15 Oct 2001 12:29:00 -0700

Spoofing of the source port is common in both scanners and exploit scripts.
The two most popular source ports are 53 (dns) and 20 (ftp-data). Tools like
"ADMfzap" and "firewalk" take advantage of this directly, but other scanners
often include configuring the source port as an option. A number of exploits
scripts use these as source ports by default.

The reason, of course, is that a lot of legitimate incoming DNS requests and
responses come from port 53, and a lot of legitimate incoming FTP data
connections come from port 20. If I remember correctly, last year at
BlackHat, some people pointed out that some versions of Checkpoint make it
really easy for admins to make a mistake and trust anything from port 53
(dns).

Actually, I am surprised how little hackers are taking advantage of this.
This is still a wide-open hole throughout the Internet.

As for you case, yes, somebody could spoof an ACK scan from port 25. It's
not a huge hole; I doubt that no one (except the extreme paranoid) would
worry about it, especially since you are blocking incoming SYNs/no-ACK from
port 25 (aren't you?).

-----Original Message-----
From: firewall-wizards-admin () nfr com
[mailto:firewall-wizards-admin () nfr com]On Behalf Of Rich Wilson
Sent: Friday, October 12, 2001 2:34 PM
To: firewall-wizards () nfr com
Subject: [fw-wiz] source port specific port scan

Does anyone know of a port scanner that allows you to specify
the source port?
I'm trying to test a filter that allows outbound only SMTP.
My worry is that
it is not stateful, and that an attacker using a source port
of 25 can bypass
the filter.

__________________________________________________
Do You Yahoo!?
Make a great connection at Yahoo! Personals.
http://personals.yahoo.com
_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://list.nfr.com/mailman/listinfo/firewall-wizards



_________________________________________________________
Do You Yahoo!?
Get your free @yahoo.com address at http://mail.yahoo.com

_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://list.nfr.com/mailman/listinfo/firewall-wizards

By Date By Thread

Current thread:

Re: source port specific port scan, (continued)
- Re: source port specific port scan Charles Swiger (Oct 15)
- Re: source port specific port scan Jose Nazario (Oct 15)
  - Re: source port specific port scan Jose Nazario (Oct 15)
- Message not available
  - Re: source port specific port scan Dom Glavach (Oct 15)
- Re: source port specific port scan Ben Eisenbraun (Oct 15)
- RE: source port specific port scan robert_david_graham (Oct 15)
- Re: source port specific port scan Steven M. Bellovin (Oct 15)