mkettler at ...4108...
Wed Nov 19 17:38:07 EST 2003
At 06:57 AM 11/19/2003, Mark Fagan wrote:
>Do people really do filtering based on source port ?????
Yes, people really do make this mistake.. I'm not making it up.. believe it
or not, stupid people exist ;)
As evidence that it's not just me, this is a common enough firewall flaw
that there's even an option in nmap to take advantage of this mistake..
from the nmap manpage:
Sets the source port number used in scans. Many naive fire
wall and packet filter installations make an exception in
their ruleset to allow DNS (53) or FTP-DATA (20) packets to
come through and establish a connection. Obviously this com
pletely subverts the security advantages of the firewall
since intruders can just masquerade as FTP or DNS by modify
ing their source port. Obviously for a UDP scan you should
try 53 first and TCP scans should try 20 before 53. Note
that this is only a request -- nmap will honor it only if and
when it is able to. For example, you can't do TCP ISN sam
pling all from one host:port to one host:port, so nmap
changes the source port even if you used -g.
More information about the Snort-users