from:"orly\-fu"

Re: Port Scan for UDP

2001-10-21 Thread orly-fu


Excuse your arrogance, but let me correct you in some points you made!

First of all nmap does not scan only the services listed in /etc/services, if 
you were to have bothered reading the manual before answering you would have 
read, and I quote: 
The default  is  to  scan  all ports  between  1  and  1024  as  well as any 
ports listed in the services file which comes with  nmap. NOTE! Comes with 
nmap! usually located in /usr/local/share/nmap/nmap-services.

You could have spared the TCP/UDP diff lecture since the question wasn't 
directed to that... Although you were correct about UDP and it's difficulty 
when it comes to remote scanning.

jc: If you own the box and *don't* have any reason to assume/think you've 
been compromised (Just checking) you can check locally using nice tools like:
netstat -an --ip for both udp and tcp or netstat -an --udp[--tcp] for 
either one.
lsof -i -n 
nmap localhost -p 1-[HigherPortNumber]
fuser 
and the list goes on =)

-xbud
-
[EMAIL PROTECTED]
I only drink to make other people interesting
-

On Sunday 21 October 2001 09:45 am, Craig McPherson wrote:
 I can't believe nobody has answered this correctly yet.  UDP is
 different than TCP in that it is a stateless protocol, and that means
 you have to understand a few things to interpret UDP port scan results
 correctly.  With TCP scans, you get one of three results:  OPEN
 (meaning that the TCP handshake sequence to open a connection
 completed), CLOSED (meaning that the target sent a port closed ICMP
 message), or FILTERED (meaning that no response was received at all:
 this is also called stealthed by so-called security experts like
 Steve Gibson but it's a good idea to ignore him just on general
 principles).

 UDP is a completely stateless protocol, though.  Even if you send a UDP
 packet to a port that a valid daemon is listening on, the system isn't
 obligated to send anything back to you at all: there is no handshake
 sequence to establish a connection.  So making a determination is
 harder than with TCP.  If you receive a port closed ICMP message, the
 port can be safely listed as CLOSED, but if you receive nothing at all,
 that could mean that the port is either OPEN or FILTERED -- it's pretty
 much impossible to tell the difference.

 NMAP assumes that every UDP port that it doesn't receive a responsee
 from is OPEN, which means that if you have your firewall DROP all UDP
 connections, every UDP port will appear as open.  If you want to fix
 this, have your firewall REJECT instead of DROP, and the ports will
 appear correctly as CLOSED to a port scan.  DROPing connections without
 a response is in violation of the RFCs, too, if you care about that
 sort of thing.  Having the local machine portscan itself will also tell
 you which UDP ports are *actually* open, because I assume you don't
 have your firewall set to DROP packets from itself.

 Also, did you know that by default, nmap only scans ports listed in its
 services file?  So although it scans commonly-used ports, it's not
 scanning the entire system.  If you have enough time (this will make
 the scan very slow, especially over a slow network link), use the -p 1-
  argument to every scan to force nmap to scan every port from 1 to
 65535 instead of just the maybe 400 or 500 ports that it has listed in
 its services file.  That's the only way you can get a complete picture
 of what your box looks like from the outside.

  I'm doing portscans on a system I'm working to learn more about
  securing hosts and setting up iptables.  My tcp portscan reported
  what I expected, only www, ssh and smtp listening.  The udp
  portscan reported a huge list of 'open' ports.  I really didn't
  know what to expect for this scan, so I want to know if this is
  normal.  Just for grins, I removed every udp listing in
  /etc/services and restarted inetd and the scan came back the
  same.  I figure this is normal, but if someone can confirm this
  behaviour, I'd really appreciate it.
 
  If this isn't secure behaviour, perhaps I can add an iptables
  entry like:
 
  iptables -A INPUT -p udp -j drop
 
  However, I don't have any applications running using udp, so the
  'open' port doesn't have anywhere to go, as far as I know.
  Again, if someone can confirm this, I'd really appreciate it.
 
  thanks,
  jc


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Re: Port Scan for UDP

2001-10-21 Thread orly-fu

Excuse your arrogance, but let me correct you in some points you made!

First of all nmap does not scan only the services listed in /etc/services, if 
you were to have bothered reading the manual before answering you would have 
read, and I quote: 
The default  is  to  scan  all ports  between  1  and  1024  as  well as any 
ports listed in the services file which comes with  nmap. NOTE! Comes with 
nmap! usually located in /usr/local/share/nmap/nmap-services.

You could have spared the TCP/UDP diff lecture since the question wasn't 
directed to that... Although you were correct about UDP and it's difficulty 
when it comes to remote scanning.

jc: If you own the box and *don't* have any reason to assume/think you've 
been compromised (Just checking) you can check locally using nice tools like:
netstat -an --ip for both udp and tcp or netstat -an --udp[--tcp] for 
either one.
lsof -i -n 
nmap localhost -p 1-[HigherPortNumber]
fuser 
and the list goes on =)

-xbud
-
[EMAIL PROTECTED]
I only drink to make other people interesting
-

On Sunday 21 October 2001 09:45 am, Craig McPherson wrote:
 I can't believe nobody has answered this correctly yet.  UDP is
 different than TCP in that it is a stateless protocol, and that means
 you have to understand a few things to interpret UDP port scan results
 correctly.  With TCP scans, you get one of three results:  OPEN
 (meaning that the TCP handshake sequence to open a connection
 completed), CLOSED (meaning that the target sent a port closed ICMP
 message), or FILTERED (meaning that no response was received at all:
 this is also called stealthed by so-called security experts like
 Steve Gibson but it's a good idea to ignore him just on general
 principles).

 UDP is a completely stateless protocol, though.  Even if you send a UDP
 packet to a port that a valid daemon is listening on, the system isn't
 obligated to send anything back to you at all: there is no handshake
 sequence to establish a connection.  So making a determination is
 harder than with TCP.  If you receive a port closed ICMP message, the
 port can be safely listed as CLOSED, but if you receive nothing at all,
 that could mean that the port is either OPEN or FILTERED -- it's pretty
 much impossible to tell the difference.

 NMAP assumes that every UDP port that it doesn't receive a responsee
 from is OPEN, which means that if you have your firewall DROP all UDP
 connections, every UDP port will appear as open.  If you want to fix
 this, have your firewall REJECT instead of DROP, and the ports will
 appear correctly as CLOSED to a port scan.  DROPing connections without
 a response is in violation of the RFCs, too, if you care about that
 sort of thing.  Having the local machine portscan itself will also tell
 you which UDP ports are *actually* open, because I assume you don't
 have your firewall set to DROP packets from itself.

 Also, did you know that by default, nmap only scans ports listed in its
 services file?  So although it scans commonly-used ports, it's not
 scanning the entire system.  If you have enough time (this will make
 the scan very slow, especially over a slow network link), use the -p 1-
  argument to every scan to force nmap to scan every port from 1 to
 65535 instead of just the maybe 400 or 500 ports that it has listed in
 its services file.  That's the only way you can get a complete picture
 of what your box looks like from the outside.

  I'm doing portscans on a system I'm working to learn more about
  securing hosts and setting up iptables.  My tcp portscan reported
  what I expected, only www, ssh and smtp listening.  The udp
  portscan reported a huge list of 'open' ports.  I really didn't
  know what to expect for this scan, so I want to know if this is
  normal.  Just for grins, I removed every udp listing in
  /etc/services and restarted inetd and the scan came back the
  same.  I figure this is normal, but if someone can confirm this
  behaviour, I'd really appreciate it.
 
  If this isn't secure behaviour, perhaps I can add an iptables
  entry like:
 
  iptables -A INPUT -p udp -j drop
 
  However, I don't have any applications running using udp, so the
  'open' port doesn't have anywhere to go, as far as I know.
  Again, if someone can confirm this, I'd really appreciate it.
 
  thanks,
  jc

Re: Questions regarding the Security Secretary Position

2001-10-21 Thread orly-fu

Are they both around 20 years of age and steaming hot ? - like the ones we 
all hope wish we had as receptionists in our corps ? =)

-xbud
On Sunday 21 October 2001 04:52 pm, Thomas Bushnell, BSG wrote:
 Matt Zimmerman [EMAIL PROTECTED] writes:
  On Sun, Oct 21, 2001 at 09:23:03AM -0700, Thomas Bushnell, BSG wrote:
   Martin Schulze [EMAIL PROTECTED] writes:
Q: Is a requirement being a Debian developer?
   
   No.  It is my understanding that it would be good to have fresh
   blood in the team.  Working on security can cost a lot of time,
   thus it could even be helpful not being a Debian developer since
   that implies active package maintenance as well.  However,
   similar knowledge is very helpful, and may be required when
   working on issues.
  
   I think the security secretary, if we have one, should be a Debian
   developer.
 
  We have two of them, and they are both card-carrying developers.

 Sorry; I was referring to the QA, not the present incumbents.

Re: Port Scan for UDP

Re: Port Scan for UDP

Re: Questions regarding the Security Secretary Position

3 matches

Site Navigation

Mail list logo

Footer information