And of course I forget the attachment... On Friday 28 September 2001 12:21 pm, H D Moore wrote: > On Friday 28 September 2001 08:52 am, PM Systems - Rick Woehler wrote: > > I haven't been able to connect with my BO2k consolde and am beginning > > to wonder if this is a false positive. I've seen Raptor Firewalls report > > open ports when they in fact are not and am wondering if anyone has > > advice on these high ports. > > > > # Nmap (V. nmap) scan initiated 2.53 as: nmap -sU -oN test.txt > > xxx.xxx.xxx.xxx > > Interesting ports on (xxx.xxx.xxx.xxx): > > (The 1436 ports scanned but not shown below are in state: closed) > > Port State Service > > 19/udp open chargen > > [ snip ] > > > 31335/udp open Trinoo_Register > > 31337/udp open BackOrifice > > Those are more than likely false positives, the reason nmap reports these > as open is because of how udp scanning works: > > Nmap sends a 0 byte udp packet. > If Nmap receives a icmp port unreachable, the port is closed. > If Nmap gets no response (or its filtered) the port is open. > > So, to see if the port is _really_ open, try the following: > > # nmap -sU -p 31330-31340 > > If all 10 ports come back open, then you cant trust the results at all. > The only real workaround is send application level queries to each udp > service to determine if its alive, obviously that doesn't work for services > like bo2k or snmp if you dont have the proper password/community string. I > attached a script I wrote which does a DNS query on udp port 53 and looks > for a response, due to the type of query (ptr for its own ip) almost every > DNS server will respond to it. > > btw, its now on the tools page of my site: > http://www.digitaloffense.net/index.html?section=TOOLS -- H D Moore http://www.digitaldefense.net - work http://www.digitaloffense.net - play
This archive was generated by hypermail 2b30 : Fri Sep 28 2001 - 11:15:34 PDT