Re:source port specific port scan (Rich Wilson)

["Don Jones" <don.jones () linuxmail org>]

> Does anyone know of a port scanner that allows you to specify the source port? 
> I'm trying to test a filter that allows outbound only SMTP.  My worry is that
> it is not stateful, and that an attacker using a source port of 25 can bypass
> the filter.

Try NMap with the -g <portnumber> option.

> From the Nmap man page (http://www.insecure.org/nmap/nmap_manpage.html):

-g <portnumber>
Sets the source port number used  in  scans. Many naive firewall and packet filter installations make an exception in 
their ruleset to allow DNS (53)  or FTP-DATA (20) packets to come through and establish a connection.Obviously this 
completely subverts the  security  advantages  of  the  firewall  since intruders can just masquerade as FTP or DNS by 
modifying their source port.  Obviously for a UDP scan
you should try 53 first and TCP scans should try 20 before  53.   Note  that  this is only a request -- nmap will honor 
it only if and when it is able  to. For example, you can't do TCP ISN sampling all from one host:port to one host:port, 
so nmap changes the source port even if you used -g.

Be  aware that there is a small performance penalty on some scans for  using  this  option,  because  I                 
                                      sometimes  store  useful  information in the source port number.

-- 

Get your free email from www.linuxmail.org 


Powered by Outblaze
_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://list.nfr.com/mailman/listinfo/firewall-wizards