Firewall Wizards mailing list archives

RE: source port specific port scan

From: "robert_david_graham" <robert_david_graham () yahoo com>
Date: Mon, 15 Oct 2001 12:29:00 -0700

Spoofing of the source port is common in both scanners and exploit scripts.
The two most popular source ports are 53 (dns) and 20 (ftp-data). Tools like
"ADMfzap" and "firewalk" take advantage of this directly, but other scanners
often include configuring the source port as an option. A number of exploits
scripts use these as source ports by default.

The reason, of course, is that a lot of legitimate incoming DNS requests and
responses come from port 53, and a lot of legitimate incoming FTP data
connections come from port 20. If I remember correctly, last year at
BlackHat, some people pointed out that some versions of Checkpoint make it
really easy for admins to make a mistake and trust anything from port 53
(dns).

Actually, I am surprised how little hackers are taking advantage of this.
This is still a wide-open hole throughout the Internet.

As for you case, yes, somebody could spoof an ACK scan from port 25. It's
not a huge hole; I doubt that no one (except the extreme paranoid) would
worry about it, especially since you are blocking incoming SYNs/no-ACK from
port 25 (aren't you?).

-----Original Message-----
From: firewall-wizards-admin () nfr com
[mailto:firewall-wizards-admin () nfr com]On Behalf Of Rich Wilson
Sent: Friday, October 12, 2001 2:34 PM
To: firewall-wizards () nfr com
Subject: [fw-wiz] source port specific port scan

Does anyone know of a port scanner that allows you to specify
the source port?
I'm trying to test a filter that allows outbound only SMTP.
My worry is that
it is not stateful, and that an attacker using a source port
of 25 can bypass
the filter.

__________________________________________________
Do You Yahoo!?
Make a great connection at Yahoo! Personals.
http://personals.yahoo.com
_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://list.nfr.com/mailman/listinfo/firewall-wizards



_________________________________________________________
Do You Yahoo!?
Get your free @yahoo.com address at http://mail.yahoo.com

_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://list.nfr.com/mailman/listinfo/firewall-wizards

Current thread:

Re: source port specific port scan, (continued)
- Re: source port specific port scan Johan Allard (Oct 15)
- Re: source port specific port scan R. DuFresne (Oct 15)
- Re: source port specific port scan Barney Wolff (Oct 15)
- Re: source port specific port scan m p (Oct 15)
- Re: source port specific port scan Oscar Wahlberg (Oct 15)
- Re: source port specific port scan Charles Swiger (Oct 15)
- Re: source port specific port scan Jose Nazario (Oct 15)
  - Re: source port specific port scan Jose Nazario (Oct 15)
- Message not available
  - Re: source port specific port scan Dom Glavach (Oct 15)
- Re: source port specific port scan Ben Eisenbraun (Oct 15)
- RE: source port specific port scan robert_david_graham (Oct 15)
- Re: source port specific port scan Steven M. Bellovin (Oct 15)