Security Basics mailing list archives
Re: Source port scanning w/nmap?
From: ChayoteMu <chayotemu () gmail com>
Date: Tue, 5 Jul 2005 21:47:46 -0700
Some hosts will not allow a connection from certain ports to limit the kinds of incoming traffic. An oversimplified example could be a machine set to block all traffic that isn't coming from port 53 (DNS). If you just scan it you won't get any responses because your source ports will be unassigned (over 1024) and so couldn't be from port 53. If you scan claiming to be DNS replies it would respond because it allow traffic from that source port. Here's an explaination from the nmap man page: --source_port <portnumber> Sets the source port number used in scans. Many naive firewall and packet filter installations make an exception in their rule- set to allow DNS (53) or FTP-DATA (20) packets to come through and establish a connection. Obviously this completely subverts the security advantages of the firewall since intruders can just masquerade as FTP or DNS by modifying their source port. Obvi- ously for a UDP scan you should try 53 first and TCP scans should try 20 before 53. Note that this is only a request -- nmap will honor it only if and when it is able to. For example, you can't do TCP ISN sampling all from one host:port to one host:port, so nmap changes the source port even if you used this option. This is an alias for the shorter, but harder to remem- ber, -g option. Be aware that there is a small performance penalty on some scans for using this option, because I sometimes store useful informa- tion in the source port number. On 7/3/05, dissolved <dissolved () comcast net> wrote:
Thanks. When you say "some hosts may not allow connections from every port" ...what do you mean? This is where I get confused. What is the purpose of source port scanning? To just find live hosts? Do you use ping sweeping in combination with source port scanning? -----Original Message----- From: Johannes Schneider [mailto:ichhabekeineemail () gmx net] Sent: Sunday, July 03, 2005 6:29 PM To: dissolved Cc: security-basics () securityfocus com Subject: Re: Source port scanning w/nmap? -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 dissolved wrote:Can someone please assist me with doing source port scanning with nmap?I'veread the MAN page and do not see this switch listed. Is it --source-port <port number>? Thankstry nmap -sS -g [source port] [more options] [address2scan] as root. you cant do nmap -cS -g [...] [...] [...]. if i understand it korrekt, the sourceport is the port you use to send ur scan-pakets to the host. its usefull to scan hosts wich dont allow connections from every port. greatz Johannes -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFCyGaysVM05bj27BsRAjeoAJ9cR5kCWx7xnU/3iU/O+O/6KrLZ+QCgt/9A 94CQ6bYQ72riheBEsJ/n0Gs= =hRzW -----END PGP SIGNATURE-----
-- ChayoteMu "To catch a thief, think like a thief. To catch a master thief, be a master thief."
Current thread:
- Re: Source port scanning w/nmap? Gonzalo Martinez (Jul 04)
- <Possible follow-ups>
- Re: Source port scanning w/nmap? matt (Jul 04)
- Re: Source port scanning w/nmap? Johannes Schneider (Jul 05)
- RE: Source port scanning w/nmap? dissolved (Jul 05)
- Re: Source port scanning w/nmap? ChayoteMu (Jul 06)
- Re: Source port scanning w/nmap? Jonathan Glass (Jul 06)
- RE: Source port scanning w/nmap? David Gillett (Jul 06)
- Dsniff usage dissolved (Jul 05)
- Re: Dsniff usage Ron (Jul 06)
- Re: Dsniff usage Geert VAN ACKER (Jul 11)
- Re: Dsniff usage Ron (Jul 13)
- Re: Dsniff usage John (Jul 11)
- RE: Source port scanning w/nmap? dissolved (Jul 05)