Re: BO2k Port?

From: H D Moore (hdm@secureaustin.com)
Date: 09/28/01 

Message-ID: <20010928172135.3505.qmail@securityfocus.com>
From: H D Moore <hdm@secureaustin.com>
To: PM Systems - Rick Woehler <RWoehler@PMSysCorp.com>, pen-test@securityfocus.com
Subject: Re: BO2k Port?
Date: Fri, 28 Sep 2001 12:21:28 -0500

On Friday 28 September 2001 08:52 am, PM Systems - Rick Woehler wrote:
> I haven't been able to connect with my BO2k consolde and am beginning to
> wonder if this is a false positive. I've seen Raptor Firewalls report open
> ports when they in fact are not and am wondering if anyone has advice on
> these high ports.
>
> # Nmap (V. nmap) scan initiated 2.53 as: nmap -sU -oN test.txt
> xxx.xxx.xxx.xxx
> Interesting ports on (xxx.xxx.xxx.xxx):
> (The 1436 ports scanned but not shown below are in state: closed)
> Port State Service
> 19/udp open chargen
[ snip ]
> 31335/udp open Trinoo_Register
> 31337/udp open BackOrifice

Those are more than likely false positives, the reason nmap reports these as
open is because of how udp scanning works:

Nmap sends a 0 byte udp packet.
If Nmap receives a icmp port unreachable, the port is closed.
If Nmap gets no response (or its filtered) the port is open.

So, to see if the port is _really_ open, try the following:

# nmap -sU -p 31330-31340

If all 10 ports come back open, then you cant trust the results at all. The
only real workaround is send application level queries to each udp service to
determine if its alive, obviously that doesn't work for services like bo2k or
snmp if you dont have the proper password/community string. I attached a
script I wrote which does a DNS query on udp port 53 and looks for a
response, due to the type of query (ptr for its own ip) almost every DNS
server will respond to it.

btw, its now on the tools page of my site:
http://www.digitaloffense.net/index.html?section=TOOLS 

-- 
H D Moore
http://www.digitaldefense.net - work
http://www.digitaloffense.net - play

----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/

Relevant Pages

  • Re: Back Orifice 2K - RedHat 7.1/7.2
    ... what is the listening prosess on the 56XXX port ... > entry for "bo2k" running open on port 56XXX...soemthing or other. ... the installation was performed with two boxed sets from RedHat. ...
    (comp.os.linux.security)
  • Re: Back Orifice - RedHat 7 [Update]
    ... > you could run Apache on port 54320 and nmap would report port 54320 ... > running with bo2k on it). ... then do 'nestat -lutp' and check the process listening on ... > B. It might very well be portsentry, which is installed by default on RH ...
    (comp.os.linux.security)
  • Re: Back Orifice - RedHat 7 [Update]
    ... > you could run Apache on port 54320 and nmap would report port 54320 ... > running with bo2k on it). ... then do 'nestat -lutp' and check the process listening on ... > B. It might very well be portsentry, which is installed by default on RH ...
    (comp.os.linux.security)
  • Re: BO2k Port?
    ... Subject: BO2k Port? ... > Nmap sends a 0 byte udp packet. ... This list is provided by the SecurityFocus Security Intelligence Alert ...
    (Pen-Test)
  • Re: Block UDP Ports?
    ... I'm using Checkpoint Firewall-1. ... reasonable that Firewall-1 would leave UDP wide open. ... > UDP ICMP port unreachable scanning: This scanning method varies from the ...
    (comp.security.firewalls)