RE: an error in the NMAP docs?

• Previous message: Byron L. Sonne: "Re: Any good log analysis/forensics tools?"
• In reply to: Michael Herz: "RE: an error in the NMAP docs?"
• Next in thread: Michael Herz: "RE: an error in the NMAP docs?"
• Reply: Michael Herz: "RE: an error in the NMAP docs?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: "'Michael Herz'" <mherz@uwaterloo.ca>, <security-basics@securityfocus.com>
Date: Wed, 6 Apr 2005 17:16:34 -0700

> If you create with a machine that is protected both inbound
> and outbound by deny all rules and then add a packet filter
> rule to allow the machine to act as a DNS server (inbound port
> 53). If you then scan this machine now by using the
> "--source_port 53" option, scans won't get through and no other
> services will be exposed.

  Correct but irrelevant. The NMAP docs refer to a possible way
to get to DNS *clients*, not DNS servers.

> If you add a client rule so the machine can ftp out (outbound
> port 20), using the "--source_port 20" option will now allow
> scans to pass through and will expose all the services the machine
> has to offer. This is due to the fact that only client service
> definitions allow access to all ports on the local machine.
> Server type definitions do not exhibit this behavior as
> described in the preceding paragraph.

  Again, correct but irrelevant. In order to talk non-PASV FTP,
the *client* needs to be able to receive connections sourced from
the server's port 20. On some/many networks, this is achieved by
permitting ALL clients to receive connections from ANYBODY's
port 20. Packets from source port 20 to vulnerable-but-normally-
filtered-port N thus *may* be able to sidestep the filters and
reach the vulnerable clients.
 
> If the above paragraphs are correct, I think the NMAP docs
> are incorrect as
> they are describing the exploit of a "server type service"
> rule with the
> line "Many naive firewall and packet filter installations
> make an exception
> in their rule-set to allow DNS (53) or FTP-DATA (20) packets to come
> through and establish a connection". To me, saying "allow DNS (53) or
> FTP-DATA (20) packets to come through" implies server
> services at port 53
> and 20 on the machine.

  And FTP-DATA is normally "served" by the FTP client. (DNS isn't,
but some networks are configured as if it was -- which is the point.)

> I think the sentence should be written: "Many naive firewall
> and packet
> filter installations make an exception in their rule-set to
> allow outbound
> DNS (53) or FTP-DATA (20) packets to pass"... thus making a hole that
> --source_port can exploit.

  But the exception which is the hole refers to allowing inbound packets
if their source port is one of these two magic values....
 
> Mike
>
>
>
> > -----Original Message-----
> > From: Michael Herz
> > Sent: Friday, April 01, 2005 8:05 AM
> > To: security-basics@securityfocus.com
> > Subject: an error in the NMAP docs?
> >
> >
> > Hi all,
> >
> > Is there an error in the NMAP docs? The --source_port section says:
> >
> > "Many naive firewall and packet filter installations make an
> > exception in
> > their rule-set to allow DNS (53) or FTP-DATA (20) packets to
> > come through
> > and establish a connection. Obviously this completely
> > subverts the security
> > advantages of the firewall since intruders can just
> > masquerade as FTP or
> > DNS by modifying their source port."
> >
> > This implies that the hole in a packet filtered machine
> > exists if it has
> > allowed inbound DNS or FTP connections. I don't believe this
> > is true. I
> > think the hole only exists if the machine has allowed
> > outbound (ie client)
> > connections from the machine. For example if the machine
> > allowed outbound
> > DNS client requests to the world, using --source_port 53
> > would exploit the
> > hole.
>
>
> --------------------------------------------------------------
> -------------
> Earn your MS in Information Security ONLINE
> Organizations worldwide are in need of highly qualified
> information security
> professionals. Norwich University is fulfilling this demand
> with its MS in
> Information Security offered online. Recognized by the NSA as an
> academically excellent program, NU offers you the opportunity
> to earn your
> degree without disrupting your home or work life.
>
> http://www.msia.norwich.edu/secfocus_en
> --------------------------------------------------------------
> --------------
>

---------------------------------------------------------------------------
Earn your MS in Information Security ONLINE
Organizations worldwide are in need of highly qualified information security
professionals. Norwich University is fulfilling this demand with its MS in
Information Security offered online. Recognized by the NSA as an
academically excellent program, NU offers you the opportunity to earn your
degree without disrupting your home or work life.

http://www.msia.norwich.edu/secfocus_en
----------------------------------------------------------------------------

• Previous message: Byron L. Sonne: "Re: Any good log analysis/forensics tools?"
• In reply to: Michael Herz: "RE: an error in the NMAP docs?"
• Next in thread: Michael Herz: "RE: an error in the NMAP docs?"
• Reply: Michael Herz: "RE: an error in the NMAP docs?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]