Re: Source port scanning w/nmap?

[ChayoteMu <chayotemu () gmail com>]

Some hosts will not allow a connection from certain ports to limit the
kinds of incoming traffic. An oversimplified example could be a
machine set to block all traffic that isn't coming from port 53 (DNS).
If you just scan it you won't get any responses because your source
ports will be unassigned (over 1024) and so couldn't be from port 53.
If you scan claiming to be DNS replies it would respond because it
allow traffic from that source port. Here's an explaination from the
nmap man page:
       --source_port <portnumber>
              Sets  the source port number used in scans.  Many naive firewall
              and packet filter installations make an exception in their rule-
              set  to  allow DNS (53) or FTP-DATA (20) packets to come through
              and establish a connection.  Obviously this completely  subverts
              the security advantages of the firewall since intruders can just
              masquerade as FTP or DNS by modifying their source port.   Obvi-
              ously  for  a  UDP  scan  you  should try 53 first and TCP scans
              should try 20 before 53.  Note that this is only  a  request  --
              nmap will honor it only if and when it is able to.  For example,
              you can't do TCP ISN sampling all  from  one  host:port  to  one
              host:port, so nmap changes the source port even if you used this
              option.  This is an alias for the shorter, but harder to  remem-
              ber, -g option.

              Be aware that there is a small performance penalty on some scans
              for using this option, because I sometimes store useful informa-
              tion in the source port number.

On 7/3/05, dissolved <dissolved () comcast net> wrote:
> Thanks. When you say "some hosts may not allow connections from every port"
> ...what do you mean?  This is where I get confused.  What is the purpose of
> source port scanning? To just find live hosts? Do you use ping sweeping in
> combination with source port scanning?
>
> -----Original Message-----
> From: Johannes Schneider [mailto:ichhabekeineemail () gmx net]
> Sent: Sunday, July 03, 2005 6:29 PM
> To: dissolved
> Cc: security-basics () securityfocus com
> Subject: Re: Source port scanning w/nmap?
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> dissolved wrote:
> > Can someone please assist me with doing source port scanning with nmap?
> I've
> > read the MAN page and do not see this switch listed.
> >
> > Is it --source-port <port number>?
> >
> > Thanks
>
> try nmap -sS -g [source port] [more options] [address2scan] as root. you
> cant do nmap -cS -g [...] [...] [...].
>
> if i understand it korrekt, the sourceport is the port you use to send
> ur scan-pakets to the host. its usefull to scan hosts wich dont allow
> connections from every port.
>
> greatz Johannes
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.2.2 (GNU/Linux)
> Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
>
> iD8DBQFCyGaysVM05bj27BsRAjeoAJ9cR5kCWx7xnU/3iU/O+O/6KrLZ+QCgt/9A
> 94CQ6bYQ72riheBEsJ/n0Gs=
> =hRzW
> -----END PGP SIGNATURE-----


-- 
ChayoteMu

"To catch a thief, think like a thief. To catch a master thief, be a
master thief."