Re: an error in the NMAP docs?

• Previous message: Pat Smith: "RE: Microsoft Software Auditing ?"
• In reply to: Michael Herz: "an error in the NMAP docs?"
• Next in thread: David Gillett: "RE: an error in the NMAP docs?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Tue, 05 Apr 2005 14:07:17 +0100
To: Michael Herz <mherz@uwaterloo.ca>

Michael Herz wrote:
> Hi all,
>
> Is there an error in the NMAP docs? The --source_port section says:
>
> "Many naive firewall and packet filter installations make an exception in
> their rule-set to allow DNS (53) or FTP-DATA (20) packets to come through
> and establish a connection. Obviously this completely subverts the security
> advantages of the firewall since intruders can just masquerade as FTP or
> DNS by modifying their source port."
>
> This implies that the hole in a packet filtered machine exists if it has
> allowed inbound DNS or FTP connections. I don't believe this is true. I
> think the hole only exists if the machine has allowed outbound (ie client)
> connections from the machine. For example if the machine allowed outbound
> DNS client requests to the world, using --source_port 53 would exploit the
> hole.

The manual is quite correct, if you allow incoming requests from port 53
to any random port internally to *establish a connection*. This
represents a hole. The attacker can target any port he wishes as long as
his source is 53. This is a common firewall misconfiguration.

-- 
With Regards..
Barrie Dempster (zeedo) - Fortiter et Strenue
blog: http://zeedo.blogspot.com
site: http://www.bsrf.org.uk
CA: www.cacert.org
"He who hingeth aboot, getteth hee-haw" - Victor (Still Game)

• application/x-pkcs7-signature attachment: S/MIME Cryptographic Signature

• Previous message: Pat Smith: "RE: Microsoft Software Auditing ?"
• In reply to: Michael Herz: "an error in the NMAP docs?"
• Next in thread: David Gillett: "RE: an error in the NMAP docs?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]