RE: an error in the NMAP docs?

["David Gillett" <gillettdavid () fhda edu>]

> -----Original Message-----
> From: Michael Herz [mailto:mherz () uwaterloo ca]
> Sent: Thursday, April 07, 2005 7:13 AM
> To: gillettdavid () fhda edu; security-basics () securityfocus com
> Subject: RE: an error in the NMAP docs?
>
> > -----Original Message-----
> > From: David Gillett 
> >
> > > -----Original Message-----
> > > From: Michael Herz
> > >
> > > If you create with a machine that is protected both inbound
> > > and outbound by deny all rules and then add a packet filter 
> > > rule to allow the machine to act as a DNS server (inbound port 
> > > 53). If you then scan this machine now by using the 
> > > "--source_port 53" option, scans won't get through and no other
> > > services will be exposed.
> >
> >   Correct but irrelevant.  The NMAP docs refer to a possible way 
> > to get to DNS *clients*, not DNS servers.
>
> And exactly my point. --source_port can exploit DNS client 
> configurations. I
> think the NMAP doc "describes" exploiting a DNS server 
> configuration. Proper
> server service configurations can't be exploited by using 
> --source_port.
> This is all I'm trying to say :-)

  The *purpose* of the exception is NOT "to allow the machine to act 
as a DNS server".  Its purpose is to allow the client to receive DNS
results even when these are returned using TCP instead of UDP.
  The NMAP docs describe exploiting a FIREWALL configuration intended
to allow machines to act as DNS and FTP CLIENTS.  In the case of DNS, 
it's a common *erroneous* configuration; in the case of FTP, it's a 
common *required* configuration.

  The NMAP docs do not describe "exploiting a DNS server configuration".
They describe exploiting a firewall configuration, intended to enable
DNS/FTP clients, in order to bypass the firewall and reach those clients.  
  No DNS or FTP server plays any role in this exploit.  No configuration 
of a host or service plays any role.  Its the firewall which erroniously 
allows scans and/or malicious traffic because it misclassifies the traffic 
as DNS or FTP traffic due to its forged source port; when the packets
reach the client, it's the *destination* port which determines what 
service actually receives them.  (ANY service.  Probably NOT FTP or DNS,
more likely something like EPMAP.)  If it's a vulnerable service, the user
wonders why their firewall didn't protect them.

  The NMAP docs may be a little on the terse side, but what they actually
say is correct, and what you think they ought to say is not.  (FTP and DNS
servers may have vulnerabilities, but --source_port plays *at best* a small
supporting role in exploiting them.)

David Gillett



---------------------------------------------------------------------------
Earn your MS in Information Security ONLINE
Organizations worldwide are in need of highly qualified information security 
professionals.  Norwich University is fulfilling this demand with its MS in 
Information Security offered online.  Recognized by the NSA as an 
academically excellent program, NU offers you the opportunity to earn your 
degree without disrupting your home or work life.

http://www.msia.norwich.edu/secfocus_en
----------------------------------------------------------------------------