Security Basics mailing list archives

RE: an error in the NMAP docs?

From: "David Gillett" <gillettdavid () fhda edu>
Date: Wed, 6 Apr 2005 17:16:34 -0700

If you create with a machine that is protected both inbound 
and outbound by deny all rules and then add a packet filter 
rule to allow the machine to act as a DNS server (inbound port 
53). If you then scan this machine now by using the 
"--source_port 53" option, scans won't get through and no other
services will be exposed.


  Correct but irrelevant.  The NMAP docs refer to a possible way 
to get to DNS *clients*, not DNS servers.

If you add a client rule so the machine can ftp out (outbound 
port 20), using the "--source_port 20" option will now allow 
scans to pass through and will expose all the services the machine 
has to offer. This is due to the fact that only client service 
definitions allow access to all ports on the local machine. 
Server type definitions do not exhibit this behavior as
described in the preceding paragraph.


  Again, correct but irrelevant.  In order to talk non-PASV FTP,
the *client* needs to be able to receive connections sourced from
the server's port 20.  On some/many networks, this is achieved by
permitting ALL clients to receive connections from ANYBODY's
port 20.  Packets from source port 20 to vulnerable-but-normally-
filtered-port N thus *may* be able to sidestep the filters and
reach the vulnerable clients.

If the above paragraphs are correct, I think the NMAP docs 
are incorrect as
they are describing the exploit of a "server type service" 
rule with the
line "Many naive firewall and packet filter installations 
make an exception
in their rule-set to allow DNS (53) or FTP-DATA (20) packets to come
through and establish a connection". To me, saying "allow DNS (53) or
FTP-DATA (20) packets to come  through" implies server 
services at port 53
and 20 on the machine.


  And FTP-DATA is normally "served" by the FTP client.  (DNS isn't,
but some networks are configured as if it was -- which is the point.)

I think the sentence should be written: "Many naive firewall 
and packet
filter installations make an exception in their rule-set to 
allow outbound
DNS (53) or FTP-DATA (20) packets to pass"... thus making a hole that
--source_port can exploit.


  But the exception which is the hole refers to allowing inbound packets
if their source port is one of these two magic values....

Mike

-----Original Message-----
From: Michael Herz 
Sent: Friday, April 01, 2005 8:05 AM
To: security-basics () securityfocus com
Subject: an error in the NMAP docs?

Hi all,

Is there an error in the NMAP docs? The --source_port section says:

"Many naive firewall and packet filter installations make an
exception in
their rule-set to allow DNS (53) or FTP-DATA (20) packets to  
come  through
and establish a connection. Obviously this completely 
subverts the security
advantages of the firewall since intruders can just 
masquerade  as FTP or
DNS by modifying their source port."

This implies that the hole in a packet filtered machine
exists if it has
allowed inbound DNS or FTP connections. I don't believe this 
is true. I
think the hole only exists if the machine has allowed 
outbound (ie client)
connections from the machine. For example if the machine 
allowed outbound
DNS client requests to the world, using --source_port 53 
would exploit the
hole.



--------------------------------------------------------------
-------------
Earn your MS in Information Security ONLINE
Organizations worldwide are in need of highly qualified 
information security 
professionals.  Norwich University is fulfilling this demand 
with its MS in 
Information Security offered online.  Recognized by the NSA as an 
academically excellent program, NU offers you the opportunity 
to earn your 
degree without disrupting your home or work life.

http://www.msia.norwich.edu/secfocus_en
--------------------------------------------------------------
--------------


---------------------------------------------------------------------------
Earn your MS in Information Security ONLINE
Organizations worldwide are in need of highly qualified information security 
professionals.  Norwich University is fulfilling this demand with its MS in 
Information Security offered online.  Recognized by the NSA as an 
academically excellent program, NU offers you the opportunity to earn your 
degree without disrupting your home or work life.

http://www.msia.norwich.edu/secfocus_en
----------------------------------------------------------------------------

Current thread:

an error in the NMAP docs? Michael Herz (Apr 04)
- Re: an error in the NMAP docs? Barrie Dempster (Apr 05)
- RE: an error in the NMAP docs? David Gillett (Apr 06)
  - RE: an error in the NMAP docs? Michael Herz (Apr 06)
    - RE: an error in the NMAP docs? David Gillett (Apr 07)
    - RE: an error in the NMAP docs? Michael Herz (Apr 07)
    - RE: an error in the NMAP docs? David Gillett (Apr 08)
    - RE: an error in the NMAP docs? Michael Herz (Apr 08)
    - RE: an error in the NMAP docs? David Gillett (Apr 08)
    - RE: an error in the NMAP docs? Michael Herz (Apr 08)
- <Possible follow-ups>
- RE: an error in the NMAP docs? Fields, James (Apr 05)