Re: Nmap

[Matt Kettler <mkettler () evi-inc com>]

At 06:57 AM 11/19/2003, Mark Fagan wrote:
> Do people really do filtering based on source port ?????

Yes, people really do make this mistake.. I'm not making it up.. believe it 
or not, stupid people exist ;)

As evidence that it's not just me, this is a common enough firewall flaw 
that there's even an option in nmap to take advantage of this mistake..

from the nmap manpage:

       -g <portnumber>
           Sets  the source port number used in scans.  Many naive fire­
              wall and packet filter installations  make  an  exception  in
              their  ruleset  to allow DNS (53) or FTP-DATA (20) packets to
              come through and establish a connection.  Obviously this com­
              pletely  subverts  the  security  advantages  of the firewall
              since intruders can just masquerade as FTP or DNS by  modify­
              ing  their  source port.  Obviously for a UDP scan you should
              try 53 first and TCP scans should try  20  before  53.   Note
              that this is only a request -- nmap will honor it only if and
              when it is able to.  For example, you can't do TCP  ISN  sam­
              pling  all  from  one  host:port  to  one  host:port, so nmap
              changes the source port even if you used -g.



-------------------------------------------------------
This SF.net email is sponsored by: SF.net Giveback Program.
Does SourceForge.net help you be more productive?  Does it
help you create better code?  SHARE THE LOVE, and help us help
YOU!  Click Here: http://sourceforge.net/donate/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users