Hi All,
Thanks for all your help and more or less useful hints.
I want to thank especially:
-Michael H. Warfield for his explanation of how toasted the customer is.
-Russ Cooper for a) his superb explanation of ports 1027 and 1030 and b)
for his misunderstanding of what those results I posted really mean (Sorry
Russ you were so offroad with your harddisk destroying technique that I
have to conter, but that's not the topic of this list, offending people...).
-Rodney van den Oever and Thomas Lopatic for pointing out the real problem:
The ISP of the customer filters tcp 12345 and udp 31337 on his border
routers however other ports which I think should be filtered instead of
those like i.e. udp/tcp 135-137 are permitted. That's why nmap returns i.e.
12345 as listening. Who would expect one of the largest swiss ISPs to be so
shortsighted ? Netbus and BO2K can be run on any port, and I guess that's
the approach an attacker takes.
I was able to reproduce this in my testing environment by setting up the
following acl and portscanning a machine behind that router which
definitely hasn't netbus running or 12345 open:
deny tcp any any eq 12345
permit ip any any
To qoute Thomas Lopatic with his fine explanation of what was going on:
> 12345 filtered tcp NetBus
> 31337 open udp BackOrifice
>"filtered" means that there was a timeout when nmap tried to connect to
>port 12345. Hence, this port is probably filtered at some firewall
>between you and the computer you scanned.
>The same is probably true for port 31337. UDP scanning works as follows.
>nmap sends a UDP packet to a port and then waits for an ICMP port
>unreachable message, which indicates, that there is not service
>listening at that particular port. If it does not get an ICMP port
>unreachable message, nmap will tell you that there is a service that
>listens at the port.
>If the UDP message is filtered at an intermediate firewall, then the
>computer will never see that UDP packet and you will never get an ICMP
>port unreachable - and nmap thinks that there is some listening service.
>I think that this is the most plausible explanation. A packet filter
>that protects the network that you have scanned.
Thanks for all your help and I hope somebody else can profit from this
information too.
Cheers,
Christoph
---------------------------------------------------+
/ Christoph Schneeberger / SCS TeleMedia |
/ cschneeat_private / Liestalerstrasse 47 |
/ 4419 Lupsingen / http://www.telemedia.ch |
/ tel +41 61 915 9155 / fax +41 61 911 0714 |
/ PGP-Key http://www.telemedia.ch/pgpkeys/cschnee.asc |
--------------------------------------------------------+
This e-mail is confidential and may be privileged. It may
be read, copied and used only by the addressee. If you
have received it in error, please contact us immediately.
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:44:52 PDT