Re: Hidden Ports
From: David J. Bianco (bianco_at_jlab.org)
Date: 02/03/04
- Previous message: Mortis: "Outpost firewall does NOT have Back Orifice trojan program"
- In reply to: Eduardo Sorensen: "Hidden Ports"
- Next in thread: Michael Painter: "Re: Hidden Ports"
- Reply: Michael Painter: "Re: Hidden Ports"
- Reply: vrsnet_at_pandora.be: "Re: Hidden Ports"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 03 Feb 2004 14:46:49 -0500 To: Eduardo Sorensen <ovo@osite.com.br>
Eduardo Sorensen wrote:
> Can a port scanner not see a port that is opened?
>
> The question is: can a backdoor be on a machine, and with nmap -p 1-,
> for example, you couldn't see it?
>
Yes, this is quite common these days. Rootkits like SucKIT can monitor
all IP sessions on a host, and only open up the backdoor port when a
certain trigger arrives via one of the already-open services. For example,
if an attacker sends a certain string of bytes to the HTTP server on port
80 (even if the string is invalid HTTP). Some tools also look for
connections to ports in certain order (eg, the same host contacts port
80, port 22 and then port 443 within a few seconds). Unless the trigger
is received, then the backdoor isn't listening, and thus wouldn't show
up in a portscan.
There may be other more innovative triggers, too. It's a hard problem. If
you think you might have a backdoor, you shouldn't depend solely on
portscanners like nmap to detect it. Anti-virus, tripwire and tools like
chkrootkit are also necessary.
David
--
David J. Bianco, GSEC GCUX GCIH <bianco@jlab.org>
Thomas Jefferson National Accelerator Facility
GPG Fingerprint: 516A B80D AAB3 1617 A340 227A 723B BFBE B395 33BA
The views expressed herein are solely those of the author and
not those of SURA/Jefferson Lab or the US DOE.
---------------------------------------------------------------------------
Ethical Hacking at InfoSec Institute. Mention this ad and get $720 off any
course! All of our class sizes are guaranteed to be 10 students or less.
We provide Ethical Hacking, Advanced Ethical Hacking, Intrusion Prevention,
and many other technical hands on courses.
Visit us at http://www.infosecinstitute.com/securityfocus to get $720 off
any course!
----------------------------------------------------------------------------
- Previous message: Mortis: "Outpost firewall does NOT have Back Orifice trojan program"
- In reply to: Eduardo Sorensen: "Hidden Ports"
- Next in thread: Michael Painter: "Re: Hidden Ports"
- Reply: Michael Painter: "Re: Hidden Ports"
- Reply: vrsnet_at_pandora.be: "Re: Hidden Ports"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
