Penetration Testing mailing list archives

Re: BO2k Port?

From: H D Moore <hdm () secureaustin com>
Date: Fri, 28 Sep 2001 12:22:35 -0500

And of course I forget the attachment...


On Friday 28 September 2001 12:21 pm, H D Moore wrote:

On Friday 28 September 2001 08:52 am, PM Systems - Rick Woehler wrote:

   I haven't been able to connect with my BO2k consolde and am beginning
to wonder if this is a false positive.  I've seen Raptor Firewalls report
open ports when they in fact are not and am wondering if anyone has
advice on these high ports.

# Nmap (V. nmap) scan initiated 2.53 as: nmap -sU -oN test.txt
xxx.xxx.xxx.xxx
Interesting ports on  (xxx.xxx.xxx.xxx):
(The 1436 ports scanned but not shown below are in state: closed)
Port       State       Service
19/udp     open        chargen


[ snip ]

31335/udp  open        Trinoo_Register
31337/udp  open        BackOrifice


Those are more than likely false positives, the reason nmap reports these
as open is because of how udp scanning works:

Nmap sends a 0 byte udp packet.
If Nmap receives a icmp port unreachable, the port is closed.
If Nmap gets no response (or its filtered) the port is open.

So, to see if the port is _really_ open, try the following:

# nmap -sU -p 31330-31340

If all 10 ports come back open, then you cant trust the results at all. 
The only real workaround is send application level queries to each udp
service to determine if its alive, obviously that doesn't work for services
like bo2k or snmp if you dont have the proper password/community string. I
attached a script I wrote which does a DNS query on udp port 53 and looks
for a response, due to the type of query (ptr for its own ip) almost every
DNS server will respond to it.

btw, its now on the tools page of my site:
http://www.digitaloffense.net/index.html?section=TOOLS


-- 
H D Moore
http://www.digitaldefense.net - work
http://www.digitaloffense.net - play

Attachment: scandns.pl
Description:

----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/

Current thread:

BO2k Port? PM Systems - Rick Woehler (Sep 28)
- Re: BO2k Port? Daniel Roethlisberger (Sep 28)
- Re: BO2k Port? H D Moore (Sep 28)
- Re: BO2k Port? H D Moore (Sep 28)