Snort mailing list archives
Re: Nmap
From: Matt Kettler <mkettler () evi-inc com>
Date: Wed, 19 Nov 2003 20:38:04 -0500
At 06:57 AM 11/19/2003, Mark Fagan wrote:
Do people really do filtering based on source port ?????
Yes, people really do make this mistake.. I'm not making it up.. believe it or not, stupid people exist ;)
As evidence that it's not just me, this is a common enough firewall flaw that there's even an option in nmap to take advantage of this mistake..
from the nmap manpage: -g <portnumber> Sets the source port number used in scans. Many naive fire wall and packet filter installations make an exception in their ruleset to allow DNS (53) or FTP-DATA (20) packets to come through and establish a connection. Obviously this com pletely subverts the security advantages of the firewall since intruders can just masquerade as FTP or DNS by modify ing their source port. Obviously for a UDP scan you should try 53 first and TCP scans should try 20 before 53. Note that this is only a request -- nmap will honor it only if and when it is able to. For example, you can't do TCP ISN sam pling all from one host:port to one host:port, so nmap changes the source port even if you used -g. ------------------------------------------------------- This SF.net email is sponsored by: SF.net Giveback Program. Does SourceForge.net help you be more productive? Does it help you create better code? SHARE THE LOVE, and help us help YOU! Click Here: http://sourceforge.net/donate/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Nmap Gerson Sampaio (Nov 14)
- <Possible follow-ups>
- RE: Nmap Esler, Joel - Contractor (Nov 17)
- RE: Nmap MH (Nov 17)
- RE: Nmap bmcdowell (Nov 19)
- Message not available
- RE: Nmap Matt Kettler (Nov 19)
- Message not available