Re: UDP question

[ToddAndMargo <ToddAndMargo () zoho com>]

i! This is the ezmlm program. I'm managing the
security-basics () securityfocus com mailing list.

I'm working for my owner, who can be reached
at security-basics-owner () securityfocus com.

I'm sorry, the list moderators for the security-basics list
have failed to act on your post. Thus, I'm returning it to you.
If you feel that this is in error, please repost the message
or contact a list moderator directly.

--- Enclosed, please find the message you sent.


Re: UDP question.eml
Subject:
Re: UDP question
From:
ToddAndMargo <ToddAndMargo () zoho com>
Date:
10/08/2013 12:27 PM
To:
"security-basics () securityfocus com" <security-basics () securityfocus com>
CC:
Martino Dell'Ambrogio <tillo () tillo ch>

>> On 10/08/2013 03:10 AM, ToddAndMargo wrote:
>>> Hi All,
>>>
>>> I have been reading http://nmap.org/bennieston-tutorial/.  In the
>>> section on UDP, he states:
>>>
>>>     UDP Scanning is not usually useful for most types of attack,
>>>     but it can reveal information about services or trojans which
>>>     rely on UDP, for example SNMP, NFS, the Back Orifice trojan
>>>     backdoor and many other exploitable services.
>>>
>>>     Most modern services utilise TCP, and thus UDP scanning is
>>>     not usually included in a pre-attack information gathering
>>>     exercise unless a TCP scan or other sources indicate that
>>>     it would be worth the time taken to perform a UDP scan.
>>>
>>> I am a bit confused:
>>>
>>> 1) "unless a TCP scan or other sources indicate".  Okay.
>>> How would a UDP port that was open give you any indication
>>> that it was open with a TCP scan?
>>>
>>> 2) "for example SNMP, NFS, the Back Orifice Trojan backdoor".
>>> Is he talking about a compromised system or a system with
>>> a bunch of poorly thought out services running on it?
>>>
>>> 3) It is my understanding, that the malicious programs on
>>> a compromised system do not act as a server, meaning they
>>> do not open ports.  As I understand it, they communicate
>>> with their evil puppet masters by establishing out going
>>> connections to avoid the firewall.  They same way I avoid
>>> firewalls with Go To Assist.  Am I wrong here?
>>>
>>> Many thanks,
>>> -T


On 10/08/2013 12:25 AM, Martino Dell'Ambrogio wrote:
> Hello ToddAndMargo,
>
> I suggest that you think more before asking these questions.
> It is great to see someone so interested in this field and posing the
> right questions, but if you do not know how to use Google, read
> documentation or make your own brain work to answer these questions you
> will never be able to achieve higher levels of understanding.

Hi Martino,

What you are missing is that I am "over thinking", not "under thinking".
And, what make you sure I am not Googling?  I actually have a ton
of bookmarks I pour over.  Also, I learn differently than others.
I can (and do) read long articles on the subject and still only have
a fuzzy understanding of the subject.  Then I can ask a seemingly
stupid question, get a one line answer (sometimes accompanied with
an insult), and suddenly I understand.

I am the same way with cooking.  I hate on-line recipes, as I
can never get them to come out right.  But, if I ask a question
on the cooking group, get a one line answer, Boom, right in.
I am much better learning from conversations than papers/lectures.
(I use papers/conversations as a starting point.)  And, now you
know more about me than anyone should ever know.

>
> 1)
> UDP scan is often slow because of a lack of response.

"supposedly" not on Windows because they don't follow the
RFC's like they should  (I am remembering one of those
links I googled.)

Fortunately, I have to only probe one Windows XP machine.
Well, after I am certain there is nothing else, other than me
on that network leg.

The only open port should be the port I use for Open VPN,
which is not the default port.  I never use the default
ports on services open to the Internet.  (See, not so stupid
after all.)  And, you can't get into that one unless you
have the key (also generated by me) AND ask the operator
to connect the service.

And, I don't know of any explots to get around Open VPN.
And, Open VPN is "on demand".  The user has to activate
it before you can log in.  Got to love it!

So far on my virtual machine test beds, I am completely
stealth.  No low hanging fruit.  And, if I can help it,
no fruit at all.

> Other protocols
> scans have much less probability of this behaviour.
> It is simply suggested to scan UDP only for "interesting" servers,
> meaning that you know that they are alive (by some other protocol reply)
> or, for example, they are the result of domain resolution (like ike.* or
> ns1.*).
>
> That said, I think this is wrong. In my experience UDP ports are much
> more probable than TCP. They are just much more difficult to spot and
> their inner protocols are much less often documented, but if you have
> the time and knowledge you should not skip scanning them. Just to prove
> this, nmap's own weighted services list has 4'687 UDP and 311 TCP
> services within the top 5'000.

That is what I thought.  Thank you.

>
> 2)
> Both. When you do pentests, you do not really care about that: your goal
> is to exploit features and bugs that the target did not know about, or
> did non care, to obtain more data and privileges.

Actually, since I am responsible for EVERYTHING, the very second
I find anything open, it is getting closed.  I am lucky that
I only have one XP POS machine on a single isolated leg (my
doing, by the way) to test.  Five total at different facilities.

So, my goal is to close everything up, not to see how far
into something I can get.  Not exactly what a penetration
tester is suppose to do, but no penetration is my goal.
Not, "you idiot, look what you left open and what I was
able to do with it".  This because the customer would say,
"you're the idiot that left it open".

>
> 3)
> Yes, your are wrong.
> While it was much more useful in the old days, when most people were
> connected to the Internet without firewalls or SNAT, a large amount of
> malicious programs leave a backdoor which by definition is not a
> connect-back channel.
> It is true, however, that the trend is changing, at least for mainstream
> botnets that generally use C&C servers nowadays.

Thank you.  I think I had blocked out the horror out of
my head of those remaining Charter cable modems that
pass the raw I.P address to the user.  With DHCP too.
You get a WAN address.  The bad guys could have all
the open port they want.

On the bright side, Charter does block non-home user type
ports, which really messes up anyone who wants to work
from home over a VPN to work.  They want you to upgrade
to a business account.  But I think the bad guys already
know this and just use port 80.

>
> Remember what I said about thinking.
> Martino
>
> Martino Dell'Ambrogio
> Security Auditor
> Web: http://www.tillo.ch/
> Email: tillo () tillo ch
>

Thank you for the help!

-T


------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how 
it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, 
install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are 
highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------