Full Disclosure mailing list archives

Re: TCP Port 42 port scans? What the heck over...


From: Matt Ostiguy <ostiguy () gmail com>
Date: Wed, 15 Dec 2004 10:27:31 -0500

On Wed, 15 Dec 2004 09:58:18 -0500, Valdis.Kletnieks () vt edu
<Valdis.Kletnieks () vt edu> wrote:
On Mon, 13 Dec 2004 14:33:42 EST, Matt Ostiguy said:

found an exploitable bug in the WINS service. Still, given how few
people one would expect to have that port accessible through a
firewall, or just how low the percentage of windows servers running
WINS is

Do you have any actual data showing that either of those two numbers is low,
or are you relying on "if people have clue, these will be low"?


Educated guess. Some reasons:

1. A single site /single subnet Windows shop can generally survive
without WINS - systems will battle to act as ad hoc browse master,
which will maintain the browse list of resources for network
neighborhood which it compiles from local subnet broadcasts. This
allows tons of places to run without WINS. If you have ever heard
people talk about Windows boxes being chatty from a network
perspective - this broadcast stuff is why.

2. WINS isn't installed by default on Win2k or 2k3, and I am fairly
certain it wasn't a default install on NT 4 either. DNS is required
for Active Directory on win2k and win2k3.

3. I can't think of a good reason to open WINS through a firewall.
Generally one would expect places with multiple sites to use site to
site connections, IPSec tunnels, and end user VPN tunnels, all of
which would negate the need to open it through the firewall.

4. Most places likely have 1 or 2 WINS servers per site. Any more, and
you are likely increasing pain and complexity (with push-pull
replication issues, etc) versus minimal redundancy gain.

So, DNS is about a universal requirement as there is these days, and a
fair of people are probably exposing their MS DNS service through the
firewall. A fair number are probably running MS DNS internally, and
doing something different externally, for security and/or  usage of
NAT reasons (their DNS server would resolve www.smallbizdomain.com to
192.168.1.2 if exposed to the net). I really cannot think of any
reason why anyone would expose WINS through a firewall, so it probably
leaves the few, the hardy, the stupid who have no firewall whatsoever.

Matt
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


Current thread: