Re: BO2k Port?

From: H D Moore (hdm@secureaustin.com)
Date: 09/28/01 

Message-ID: <20010928172238.4597.qmail@securityfocus.com>
From: H D Moore <hdm@secureaustin.com>
To: PM Systems - Rick Woehler <RWoehler@PMSysCorp.com>, pen-test@securityfocus.com
Subject: Re: BO2k Port?
Date: Fri, 28 Sep 2001 12:22:35 -0500

And of course I forget the attachment...

On Friday 28 September 2001 12:21 pm, H D Moore wrote:
> On Friday 28 September 2001 08:52 am, PM Systems - Rick Woehler wrote:
> > I haven't been able to connect with my BO2k consolde and am beginning
> > to wonder if this is a false positive. I've seen Raptor Firewalls report
> > open ports when they in fact are not and am wondering if anyone has
> > advice on these high ports.
> >
> > # Nmap (V. nmap) scan initiated 2.53 as: nmap -sU -oN test.txt
> > xxx.xxx.xxx.xxx
> > Interesting ports on (xxx.xxx.xxx.xxx):
> > (The 1436 ports scanned but not shown below are in state: closed)
> > Port State Service
> > 19/udp open chargen
>
> [ snip ]
>
> > 31335/udp open Trinoo_Register
> > 31337/udp open BackOrifice
>
> Those are more than likely false positives, the reason nmap reports these
> as open is because of how udp scanning works:
>
> Nmap sends a 0 byte udp packet.
> If Nmap receives a icmp port unreachable, the port is closed.
> If Nmap gets no response (or its filtered) the port is open.
>
> So, to see if the port is _really_ open, try the following:
>
> # nmap -sU -p 31330-31340
>
> If all 10 ports come back open, then you cant trust the results at all.
> The only real workaround is send application level queries to each udp
> service to determine if its alive, obviously that doesn't work for services
> like bo2k or snmp if you dont have the proper password/community string. I
> attached a script I wrote which does a DNS query on udp port 53 and looks
> for a response, due to the type of query (ptr for its own ip) almost every
> DNS server will respond to it.
>
> btw, its now on the tools page of my site:
> http://www.digitaloffense.net/index.html?section=TOOLS 

-- 
H D Moore
http://www.digitaldefense.net - work
http://www.digitaloffense.net - play

----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/

Relevant Pages

  • Re: Back Orifice 2K - RedHat 7.1/7.2
    ... what is the listening prosess on the 56XXX port ... > entry for "bo2k" running open on port 56XXX...soemthing or other. ... the installation was performed with two boxed sets from RedHat. ...
    (comp.os.linux.security)
  • Re: Back Orifice - RedHat 7 [Update]
    ... > you could run Apache on port 54320 and nmap would report port 54320 ... > running with bo2k on it). ... then do 'nestat -lutp' and check the process listening on ... > B. It might very well be portsentry, which is installed by default on RH ...
    (comp.os.linux.security)
  • Re: Back Orifice - RedHat 7 [Update]
    ... > you could run Apache on port 54320 and nmap would report port 54320 ... > running with bo2k on it). ... then do 'nestat -lutp' and check the process listening on ... > B. It might very well be portsentry, which is installed by default on RH ...
    (comp.os.linux.security)
  • Re: BO2k Port?
    ... Subject: BO2k Port? ... Nmap sends a 0 byte udp packet. ... This list is provided by the SecurityFocus Security Intelligence Alert ...
    (Pen-Test)
  • Re: Block UDP Ports?
    ... I'm using Checkpoint Firewall-1. ... reasonable that Firewall-1 would leave UDP wide open. ... > UDP ICMP port unreachable scanning: This scanning method varies from the ...
    (comp.security.firewalls)