Security Basics mailing list archives
RE: an error in the NMAP docs?
From: "David Gillett" <gillettdavid () fhda edu>
Date: Wed, 6 Apr 2005 17:16:34 -0700
If you create with a machine that is protected both inbound and outbound by deny all rules and then add a packet filter rule to allow the machine to act as a DNS server (inbound port 53). If you then scan this machine now by using the "--source_port 53" option, scans won't get through and no other services will be exposed.
Correct but irrelevant. The NMAP docs refer to a possible way to get to DNS *clients*, not DNS servers.
If you add a client rule so the machine can ftp out (outbound port 20), using the "--source_port 20" option will now allow scans to pass through and will expose all the services the machine has to offer. This is due to the fact that only client service definitions allow access to all ports on the local machine. Server type definitions do not exhibit this behavior as described in the preceding paragraph.
Again, correct but irrelevant. In order to talk non-PASV FTP, the *client* needs to be able to receive connections sourced from the server's port 20. On some/many networks, this is achieved by permitting ALL clients to receive connections from ANYBODY's port 20. Packets from source port 20 to vulnerable-but-normally- filtered-port N thus *may* be able to sidestep the filters and reach the vulnerable clients.
If the above paragraphs are correct, I think the NMAP docs are incorrect as they are describing the exploit of a "server type service" rule with the line "Many naive firewall and packet filter installations make an exception in their rule-set to allow DNS (53) or FTP-DATA (20) packets to come through and establish a connection". To me, saying "allow DNS (53) or FTP-DATA (20) packets to come through" implies server services at port 53 and 20 on the machine.
And FTP-DATA is normally "served" by the FTP client. (DNS isn't, but some networks are configured as if it was -- which is the point.)
I think the sentence should be written: "Many naive firewall and packet filter installations make an exception in their rule-set to allow outbound DNS (53) or FTP-DATA (20) packets to pass"... thus making a hole that --source_port can exploit.
But the exception which is the hole refers to allowing inbound packets if their source port is one of these two magic values....
Mike-----Original Message----- From: Michael Herz Sent: Friday, April 01, 2005 8:05 AM To: security-basics () securityfocus com Subject: an error in the NMAP docs? Hi all, Is there an error in the NMAP docs? The --source_port section says: "Many naive firewall and packet filter installations make an exception in their rule-set to allow DNS (53) or FTP-DATA (20) packets to come through and establish a connection. Obviously this completely subverts the security advantages of the firewall since intruders can just masquerade as FTP or DNS by modifying their source port." This implies that the hole in a packet filtered machine exists if it has allowed inbound DNS or FTP connections. I don't believe this is true. I think the hole only exists if the machine has allowed outbound (ie client) connections from the machine. For example if the machine allowed outbound DNS client requests to the world, using --source_port 53 would exploit the hole.-------------------------------------------------------------- ------------- Earn your MS in Information Security ONLINE Organizations worldwide are in need of highly qualified information security professionals. Norwich University is fulfilling this demand with its MS in Information Security offered online. Recognized by the NSA as an academically excellent program, NU offers you the opportunity to earn your degree without disrupting your home or work life. http://www.msia.norwich.edu/secfocus_en -------------------------------------------------------------- --------------
--------------------------------------------------------------------------- Earn your MS in Information Security ONLINE Organizations worldwide are in need of highly qualified information security professionals. Norwich University is fulfilling this demand with its MS in Information Security offered online. Recognized by the NSA as an academically excellent program, NU offers you the opportunity to earn your degree without disrupting your home or work life. http://www.msia.norwich.edu/secfocus_en ----------------------------------------------------------------------------
Current thread:
- an error in the NMAP docs? Michael Herz (Apr 04)
- Re: an error in the NMAP docs? Barrie Dempster (Apr 05)
- RE: an error in the NMAP docs? David Gillett (Apr 06)
- RE: an error in the NMAP docs? Michael Herz (Apr 06)
- RE: an error in the NMAP docs? David Gillett (Apr 07)
- RE: an error in the NMAP docs? Michael Herz (Apr 07)
- RE: an error in the NMAP docs? David Gillett (Apr 08)
- RE: an error in the NMAP docs? Michael Herz (Apr 08)
- RE: an error in the NMAP docs? David Gillett (Apr 08)
- RE: an error in the NMAP docs? Michael Herz (Apr 08)
- RE: an error in the NMAP docs? Michael Herz (Apr 06)
- <Possible follow-ups>
- RE: an error in the NMAP docs? Fields, James (Apr 05)