Re: BO2k Port?

From: Daniel Roethlisberger (daniel@roe.ch)
Date: 09/28/01

Previous message: niceshorts@yahoo.com: "Re: JRun 3.0 SP2 Vulnerability??"
In reply to: PM Systems - Rick Woehler: "BO2k Port?"
Next in thread: H D Moore: "Re: BO2k Port?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Fri, 28 Sep 2001 18:42:20 +0200
From: Daniel Roethlisberger <daniel@roe.ch>
Message-ID: <15114620421.20010928184220@roe.ch>
To: pen-test@securityfocus.com
Subject: Re: BO2k Port?

PM Systems - Rick Woehler <RWoehler@PMSysCorp.com> wrote:
> Doing an audit on a gov agency with a Raptor Firewall. I was
> shocked to see nmap repeatedly reporting 31335 and 31337 UDP
> open on the firewall. I'm told by my firewall guys that Raptors
> and VelociRaptors install with all ports closed and ports have
> to be specifically opened to allow traffic. I can't imagine the
> person that installed this firewall would allow those ports.

First off, 31337/udp was only used by good old BO 1.2 (SirDystic's
original BO), and not BO2K (which has no real default ports, and
can use TCP too).

Second, nmap reporting open UDP ports is due to the way UDP is
designed to work: a closed port sends an ICMP port unreachable
back, while an open one sends back nothing (as UDP is
connectionless it is generally up to the listening application to
send UDP datagrams back or not). So essentially, there's no way to
distinguish firewalled and open UDP ports. I suspect that the
thing you scanned just drops all packets on those UDP ports,
that's why you see them open in nmap.

Cheers,
Dan

-- Daniel Roethlisberger <daniel@roe.ch> PGP Key ID 0x8DE543ED with fingerprint 6C10 83D7 2BB8 D908 10AE 7FA3 0779 0355 8DE5 43ED

---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/

Previous message: niceshorts@yahoo.com: "Re: JRun 3.0 SP2 Vulnerability??"
In reply to: PM Systems - Rick Woehler: "BO2k Port?"
Next in thread: H D Moore: "Re: BO2k Port?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

Re: Samba wont dance [Solved - sort of]
... Left the firewall turned on when I went to bed. ... I saw neither these descriptions (tcp or udp) nor their 137/138 numbers ... was simply noting the lack of presence of those ports in your listing. ...
(Fedora)
Re: Root exploit for FreeBSD
... for two ports to my FreeBSD portscluster nodes. ... and it gives the firewall ... US this is also quite common, at least with regards to University ... if your computer is going to connect on our network it must be configured in certain ways and behave "normally" or you won't get a connection. ...
(freebsd-questions)
Re: Root exploit for FreeBSD
... for two ports to my FreeBSD portscluster nodes. ... and it gives the firewall ... US this is also quite common, at least with regards to University ... if your computer is going to connect on our network it must be configured in certain ways and behave "normally" or you won't get a connection. ...
(freebsd-current)
Re: Firewall rules to allow Windows 2000 updates
... The choice for the firewall is TDP, UDP, ICMP, or other. ... and ports. ... Transmission protocols and ports: The transmission protocols and ...
(microsoft.public.security)
Re: Trouble accessing Outlook Web Access from behind firewall
... When starting the firewall I also set ... > rejected and dropped packets are logged, however I see nothing in my log ... > # Higher ports needed to accept incoming/outgoing calls ...
(comp.security.firewalls)