Security Basics mailing list archives
Re: UDP question
From: ToddAndMargo <ToddAndMargo () zoho com>
Date: Fri, 25 Oct 2013 16:42:45 -0700
Hi! This is the ezmlm program. I'm managing the security-basics () securityfocus com mailing list. I'm working for my owner, who can be reached at security-basics-owner () securityfocus com. I'm sorry, the list moderators for the security-basics list have failed to act on your post. Thus, I'm returning it to you. If you feel that this is in error, please repost the message or contact a list moderator directly. --- Enclosed, please find the message you sent. Re: UDP question.eml Subject: Re: UDP question From: ToddAndMargo <ToddAndMargo () zoho com> Date: 10/14/2013 04:02 PM To: "security-basics () securityfocus com" <security-basics () securityfocus com> Hi! This is the ezmlm program. I'm managing the security-basics () securityfocus com mailing list. I'm working for my owner, who can be reached at security-basics-owner () securityfocus com. I'm sorry, the list moderators for the security-basics list have failed to act on your post. Thus, I'm returning it to you. If you feel that this is in error, please repost the message or contact a list moderator directly. --- Enclosed, please find the message you sent. Re: UDP question.eml Subject: Re: UDP question From: ToddAndMargo <ToddAndMargo () zoho com> Date: 10/08/2013 11:52 AM To: "security-basics () securityfocus com" <security-basics () securityfocus com> CC: Nibbler nib <nbblrr () gmail com> >> On 8 October 2013 03:10, ToddAndMargo <ToddAndMargo () zoho com >> <mailto:ToddAndMargo () zoho com>> wrote: >> >> Hi All, >> >> I have been reading http://nmap.org/bennieston-__tutorial/ >> <http://nmap.org/bennieston-tutorial/>. In the >> section on UDP, he states: >> >> UDP Scanning is not usually useful for most types of attack, >> but it can reveal information about services or trojans which >> rely on UDP, for example SNMP, NFS, the Back Orifice trojan >> backdoor and many other exploitable services. >> >> Most modern services utilise TCP, and thus UDP scanning is >> not usually included in a pre-attack information gathering >> exercise unless a TCP scan or other sources indicate that >> it would be worth the time taken to perform a UDP scan. >> >> I am a bit confused: >> >> 1) "unless a TCP scan or other sources indicate". Okay. >> How would a UDP port that was open give you any indication >> that it was open with a TCP scan? >> >> 2) "for example SNMP, NFS, the Back Orifice Trojan backdoor". >> Is he talking about a compromised system or a system with >> a bunch of poorly thought out services running on it? >> >> 3) It is my understanding, that the malicious programs on >> a compromised system do not act as a server, meaning they >> do not open ports. As I understand it, they communicate >> with their evil puppet masters by establishing out going >> connections to avoid the firewall. They same way I avoid >> firewalls with Go To Assist. Am I wrong here? >> >> Many thanks, >> -T On 10/08/2013 06:12 AM, Nibbler nib wrote: > Hi, > > 1) Some services uses both TCP and UDP (NFS, DNS...), so you can > identify services through TCP scans and gather more information with UDP > scan. Hi Nibbler, Okay. Now I understand. Easier to find the "duals" on TCP than UDP. I was in a "single" only mindset. > 2) Both. SNMP, NFS may have vulnerable version while you can identify > trojan listening on the system > > 3) Once the system is compromised, you can do whatever you want. > Historically, trojans were often listening on some ports to allow remote > control but with the increasing NAT/firewall usage, now malwares are > often using remote connections to C&C servers. Okay. Now that I think about it, there are modem/routers out there that still pass on the raw I.P. address to the user. Charter is really bad about that. Whenever I find one, I try to get the customer let me install a simple NAT router. I seldom succeed. They act like I am trying to sell them snake oil, right along with that UPS and backup drive I tried to sell them. I "had" a customer who is so badly infected, he can't send out eMail from his tape backup program at night because his computer, which he leaves on all night, is so conjested with outgoing spam that it swamps his Internet connection. The Command and Control must be a thing to behold. He has NAT too, so the infections were probably just listening. His solution was the remove Kaspesrsky, which bitched about all the infections it could not remove, and replace it with m$ security essentials, which could not find the infections, so he did not have to be bothered. Which does raise another question, but I will post it under another subject. Thank you for the excellent write up! -T -- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Computers are like air conditioners. They malfunction when you open windows ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ------------------------------------------------------------------------ Securing Apache Web Server with thawte Digital Certificate In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates. http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1 ------------------------------------------------------------------------
Current thread:
- UDP question ToddAndMargo (Oct 08)
- <Possible follow-ups>
- RE: UDP question Patrick Kobly (Oct 08)
- Re: UDP question ToddAndMargo (Oct 15)
- Re: UDP question ToddAndMargo (Oct 16)
- Message not available
- Re: UDP question ToddAndMargo (Oct 17)
- Message not available
- Re: UDP question ToddAndMargo (Oct 28)
- Re: UDP question ToddAndMargo (Oct 28)