Re: UDP question

[ToddAndMargo <ToddAndMargo () zoho com>]

Hi! This is the ezmlm program. I'm managing the
security-basics () securityfocus com mailing list.

I'm working for my owner, who can be reached
at security-basics-owner () securityfocus com.

I'm sorry, the list moderators for the security-basics list
have failed to act on your post. Thus, I'm returning it to you.
If you feel that this is in error, please repost the message
or contact a list moderator directly.

--- Enclosed, please find the message you sent.


Re: UDP question.eml
Subject:
Re: UDP question
From:
ToddAndMargo <ToddAndMargo () zoho com>
Date:
10/14/2013 04:02 PM
To:
"security-basics () securityfocus com" <security-basics () securityfocus com>

Hi! This is the ezmlm program. I'm managing the
security-basics () securityfocus com mailing list.

I'm working for my owner, who can be reached
at security-basics-owner () securityfocus com.

I'm sorry, the list moderators for the security-basics list
have failed to act on your post. Thus, I'm returning it to you.
If you feel that this is in error, please repost the message
or contact a list moderator directly.

--- Enclosed, please find the message you sent.


Re: UDP question.eml
Subject:
Re: UDP question
From:
ToddAndMargo <ToddAndMargo () zoho com>
Date:
10/08/2013 11:52 AM
To:
"security-basics () securityfocus com" <security-basics () securityfocus com>
CC:
Nibbler nib <nbblrr () gmail com>

>> On 8 October 2013 03:10, ToddAndMargo <ToddAndMargo () zoho com
>> <mailto:ToddAndMargo () zoho com>> wrote:
>>
>>     Hi All,
>>
>>     I have been reading http://nmap.org/bennieston-__tutorial/
>>     <http://nmap.org/bennieston-tutorial/>.  In the
>>     section on UDP, he states:
>>
>>         UDP Scanning is not usually useful for most types of attack,
>>         but it can reveal information about services or trojans which
>>         rely on UDP, for example SNMP, NFS, the Back Orifice trojan
>>         backdoor and many other exploitable services.
>>
>>         Most modern services utilise TCP, and thus UDP scanning is
>>         not usually included in a pre-attack information gathering
>>         exercise unless a TCP scan or other sources indicate that
>>         it would be worth the time taken to perform a UDP scan.
>>
>>     I am a bit confused:
>>
>>     1) "unless a TCP scan or other sources indicate".  Okay.
>>     How would a UDP port that was open give you any indication
>>     that it was open with a TCP scan?
>>
>>     2) "for example SNMP, NFS, the Back Orifice Trojan backdoor".
>>     Is he talking about a compromised system or a system with
>>     a bunch of poorly thought out services running on it?
>>
>>     3) It is my understanding, that the malicious programs on
>>     a compromised system do not act as a server, meaning they
>>     do not open ports.  As I understand it, they communicate
>>     with their evil puppet masters by establishing out going
>>     connections to avoid the firewall.  They same way I avoid
>>     firewalls with Go To Assist.  Am I wrong here?
>>
>>     Many thanks,
>>     -T

On 10/08/2013 06:12 AM, Nibbler nib wrote:
> Hi,
>
> 1) Some services uses both TCP and UDP (NFS, DNS...), so you can
> identify services through TCP scans and gather more information with UDP
> scan.

Hi Nibbler,

Okay.  Now I understand.  Easier to find the "duals" on TCP than
UDP.  I was in a "single" only mindset.

> 2) Both. SNMP, NFS may have vulnerable version while you can identify
> trojan listening on the system
>
> 3) Once the system is compromised, you can do whatever you want.
> Historically, trojans were often listening on some ports to allow remote
> control but with the increasing NAT/firewall usage, now malwares are
> often using remote connections to C&C servers.

Okay.  Now that I think about it, there are modem/routers out there
that still pass on the raw I.P. address to the user.  Charter
is really bad about that.

Whenever I find one, I try to get the customer let me install
a simple NAT router.  I seldom succeed.  They act like I am
trying to sell them snake oil, right along with that UPS
and backup drive I tried to sell them.

I "had" a customer who is so badly infected, he can't send
out eMail from his tape backup program at night because
his computer, which he leaves on all night, is so conjested
with outgoing spam that it swamps his Internet connection.
The Command and Control must be a thing to behold.  He
has NAT too, so the infections were probably just listening.

His solution was the remove Kaspesrsky, which bitched
about all the infections it could not remove, and replace
it with m$ security essentials, which could not find
the infections, so he did not have to be bothered.

Which does raise another question, but I will post it
under another subject.

Thank you for the excellent write up!

-T



--
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Computers are like air conditioners.
They malfunction when you open windows
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how 
it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, 
install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are 
highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------