Security Basics mailing list archives
RE: an error in the NMAP docs?
From: "Michael Herz" <mherz () uwaterloo ca>
Date: Wed, 6 Apr 2005 16:00:54 -0400
Hi all, Thanks for the reply's but I don't think I'm getting my point across properly. Please let me try again. If you create with a machine that is protected both inbound and outbound by deny all rules and then add a packet filter rule to allow the machine to act as a DNS server (inbound port 53). If you then scan this machine now by using the "--source_port 53" option, scans won't get through and no other services will be exposed. If you add a client rule so the machine can ftp out (outbound port 20), using the "--source_port 20" option will now allow scans to pass through and will expose all the services the machine has to offer. This is due to the fact that only client service definitions allow access to all ports on the local machine. Server type definitions do not exhibit this behavior as described in the preceding paragraph. If the above paragraphs are correct, I think the NMAP docs are incorrect as they are describing the exploit of a "server type service" rule with the line "Many naive firewall and packet filter installations make an exception in their rule-set to allow DNS (53) or FTP-DATA (20) packets to come through and establish a connection". To me, saying "allow DNS (53) or FTP-DATA (20) packets to come through" implies server services at port 53 and 20 on the machine. I think the sentence should be written: "Many naive firewall and packet filter installations make an exception in their rule-set to allow outbound DNS (53) or FTP-DATA (20) packets to pass"... thus making a hole that --source_port can exploit. Mike
-----Original Message----- From: Michael Herz Sent: Friday, April 01, 2005 8:05 AM To: security-basics () securityfocus com Subject: an error in the NMAP docs? Hi all, Is there an error in the NMAP docs? The --source_port section says: "Many naive firewall and packet filter installations make an exception in their rule-set to allow DNS (53) or FTP-DATA (20) packets to come through and establish a connection. Obviously this completely subverts the security advantages of the firewall since intruders can just masquerade as FTP or DNS by modifying their source port." This implies that the hole in a packet filtered machine exists if it has allowed inbound DNS or FTP connections. I don't believe this is true. I think the hole only exists if the machine has allowed outbound (ie client) connections from the machine. For example if the machine allowed outbound DNS client requests to the world, using --source_port 53 would exploit the hole.
--------------------------------------------------------------------------- Earn your MS in Information Security ONLINE Organizations worldwide are in need of highly qualified information security professionals. Norwich University is fulfilling this demand with its MS in Information Security offered online. Recognized by the NSA as an academically excellent program, NU offers you the opportunity to earn your degree without disrupting your home or work life. http://www.msia.norwich.edu/secfocus_en ----------------------------------------------------------------------------
Current thread:
- an error in the NMAP docs? Michael Herz (Apr 04)
- Re: an error in the NMAP docs? Barrie Dempster (Apr 05)
- RE: an error in the NMAP docs? David Gillett (Apr 06)
- RE: an error in the NMAP docs? Michael Herz (Apr 06)
- RE: an error in the NMAP docs? David Gillett (Apr 07)
- RE: an error in the NMAP docs? Michael Herz (Apr 07)
- RE: an error in the NMAP docs? David Gillett (Apr 08)
- RE: an error in the NMAP docs? Michael Herz (Apr 08)
- RE: an error in the NMAP docs? David Gillett (Apr 08)
- RE: an error in the NMAP docs? Michael Herz (Apr 08)
- RE: an error in the NMAP docs? Michael Herz (Apr 06)
- <Possible follow-ups>
- RE: an error in the NMAP docs? Fields, James (Apr 05)