27

I read that if a server is inside a DMZ behind a stateless firewall, it is a good idea to use ports 20 and 53 as source ports when conducting port scanning. Why is this a good idea? I guess the firewall will most likely not filter FTP and DNS data?

AdHominem
  • 3,006
  • 1
  • 16
  • 26

1 Answers1

41

You guessed correctly.

According to the Nmap Reference Guide:

--source-port <portnumber>; -g <portnumber> (Spoof source port number)

One surprisingly common misconfiguration is to trust traffic based only on the source port number. It is easy to understand how this comes about. An administrator will set up a shiny new firewall, only to be flooded with complaints from ungrateful users whose applications stopped working. In particular, DNS may be broken because the UDP DNS replies from external servers can no longer enter the network. FTP is another common example. In active FTP transfers, the remote server tries to establish a connection back to the client to transfer the requested file.

Secure solutions to these problems exist, often in the form of application-level proxies or protocol-parsing firewall modules. Unfortunately there are also easier, insecure solutions. Noting that DNS replies come from port 53 and active FTP from port 20, many administrators have fallen into the trap of simply allowing incoming traffic from those ports. They often assume that no attacker would notice and exploit such firewall holes. In other cases, administrators consider this a short-term stop-gap measure until they can implement a more secure solution. Then they forget the security upgrade.

Overworked network administrators are not the only ones to fall into this trap. Numerous products have shipped with these insecure rules. Even Microsoft has been guilty. The IPsec filters that shipped with Windows 2000 and Windows XP contain an implicit rule that allows all TCP or UDP traffic from port 88 (Kerberos). In another well-known case, versions of the Zone Alarm personal firewall up to 2.1.25 allowed any incoming UDP packets with the source port 53 (DNS) or 67 (DHCP).

A 2005 answer in Seclists.org provides a quote from a previous version of the Reference Guide:

--source_port <portnumber>

Sets the source port number used in scans. Many naive firewall and packet filter installations make an exception in their ruleset to allow DNS (53) or FTP-DATA (20) packets to come through and establish a connection. Obviously this completely subverts the security advantages of the firewall since intruders can just masquerade as FTP or DNS by modifying their source port. Obviously for a UDP scan you should try 53 first and TCP scans should try 20 before 53. Note that this is only a request -- nmap will honor it only if and when it is able to. For example, you can't do TCP ISN sampling all from one host:port to one host:port, so nmap changes the source port even if you used this option. This is an alias for the shorter, but harder to remember, -g option.

A. Darwin
  • 3,562
  • 2
  • 15
  • 26
  • 9
    They don't forget the security upgrade, [a sysadmin is better than that](https://xkcd.com/705/). It is just that management does not allocate time to go back to an "already solved issue" (setting the firewall). – Mindwin Aug 01 '16 at 18:44