Mailing List Archive

> could be.
> When a machine is not firewalled, it doesn't matter. Otherwise:
> - 80 is often open, but it may be disturbed by transparent proxys.
> - 22, 25, 443 are also good candidates
> - 113 is even better, because it either properly rejected by the
> firewall, or allowed.
> But if the firewall rejects connections on port 113 for all
> addresses, we'll see all the IP range "up".


TCP port 53 and port 123 (these is almost NOTHING on 123 and it can be
used to tell the difference between something there and not there), port
21 and 23 (still) port 445? or does that cause too many alerts?

--
Michael Scheidell
SECNAP Network Security, LLC
(561) 368-9561 scheidell@secnap.net
http://www.secnap.net/

Michael Scheidell <scheidell@secnap.net> writes:

> TCP port 53 and port 123 (these is almost NOTHING on 123 and it can be
> used to tell the difference between something there and not there)

Well, currently, the ping_host plugin does not check if a host is
really alive. But that would be a good idea.

e.g., if we get a RST on port 113, ignore it and try the
next port in the list (firewall)
Or if we get a SYN+ACK on port 80, ignore it (transparent proxy)

Maybe the preference for the plugin will start to look complicated,
but I am more and more convinced that Nessus cannot and *should not*
be a user friendly tool, if we want it to be really powerful.
(this is another topic :)

> port 21 and 23 (still) port 445? or does that cause too many alerts?

OK for 21 and 23. But 445? Is it often open through firewalls?

--
mailto:arboi@bigfoot.com
GPG Public keys: http://michel.arboi.free.fr/pubkey.txt
http://michel.arboi.free.fr/ http://arboi.da.ru/
FAQNOPI de fr.comp.securite : http://faqnopi.da.ru/

On Tuesday 04 June 2002 15:23, Michel Arboi wrote:
> Renaud & I were wondering what the best list of ports for TCP ping
> could be.

The following list is based on real-life statistics on how we have discovered
firewalled systems in the past (in order of commonality). I only listed the
first few ports, the rest are less used and sometimes specific to certain
pieces of software we run into alot.

443, 25, 80, 22, 53, 23, 110, 143, 264

Since most filtered systems are located externally and these systems generally
provide one or more specific services, the goal is to list the most commonly
found services in the order of occurence (most -> least).

-HD

H D Moore <hdm@digitaloffense.net> writes:

> 443, 25, 80, 22, 53, 23, 110, 143, 264

Ten packets per address will slow down the plugin. Should we keep the
first three ones?

On Tue, Jun 04, 2002 at 11:06:52PM +0200, Michel Arboi wrote:
> H D Moore <hdm@digitaloffense.net> writes:
>
> > 443, 25, 80, 22, 53, 23, 110, 143, 264
>
> Ten packets per address will slow down the plugin. Should we keep the
> first three ones?

Sounds good.


-- Renaud

>
> > 443, 25, 80, 22, 53, 23, 110, 143, 264
>
> Ten packets per address will slow down the plugin. Should we keep the
> first three ones?
>

I think I would still like to see port 53 in there.. don't know about port
264, and ASSUME that if a system has imap (port 143) is probaly also has
pop3

Port 23 SHOULD be closed (but some cisco routers still use it and not ssh)

As for port 443... hmmm what percentage have 443 and 80? those who have
443 and NOT 80? (some might redirect from 80 to 443, but still have 80
open, takes a 'tweek' of httpd.conf on apache, won't ms iis barf?

--
Michael Scheidell
SECNAP Network Security, LLC
(561) 368-9561 scheidell@secnap.net
http://www.secnap.net/

On 4 Jun 2002, Michel Arboi wrote:

|H D Moore <hdm@digitaloffense.net> writes:
|
|> 443, 25, 80, 22, 53, 23, 110, 143, 264
|
|Ten packets per address will slow down the plugin. Should we keep the
|first three ones?

I wouldn't count on 53 unless things weren't set up well. 53/tcp is used
for zone transfers and large records, and I tend to only allow it between
name servers that are supposed to communicate, or filter it entirely. If
it's available for ping, I'd dock the client for letting it slide.

110 is another item that should probably only be setup for trusted clients,
or internal hosts only.

I would rely on well-known, well-used services (even if they are old) to
ping hosts. My picks are 21, 23, 80 and 25 -- in that order.

The original goal here is to tcp ping hosts that are firewalled. While you
would expect 21 and 23 to be blocked, I know folks who think those services
are "secure" because they demand authentication. It is also likely for
environments that do not have filters or firewalls that these ports will be
seen more often for administrative and management reasons (hell, HP printers
have FTP open).

Of course, 25 and 80 have obvious purposes, and should be expected to be
available from the outside. Given the popularity of Microsoft products
and the average experience of the person installing them, port 80 will also
pop up far more often than it should.

I think the statistical value of 109/110/143, 53, 443 and 264 would fair far
lower than 21, 23, 80 and 25. I tend to use those four anytime I want to
further investigate a host I know to be available to the outside world.

.nhoJ

On Tuesday 04 June 2002 16:57, John Q. Public wrote:
> I think the statistical value of 109/110/143, 53, 443 and 264 would fair
> far lower than 21, 23, 80 and 25. I tend to use those four anytime I want
> to further investigate a host I know to be available to the outside world.

Have to disagree with you on 443. There are literally hundreds of devices out
there which have a "secure" web administrative console on port 443 and not a
whole lot else open (or unfirewalled). The majority of e-commerce and
financial services systems tend to only allow tcp 443 and nothing else.

On 4 Jun 2002, Michel Arboi wrote:

> H D Moore <hdm@digitaloffense.net> writes:
>
> > 443, 25, 80, 22, 53, 23, 110, 143, 264
>
> Ten packets per address will slow down the plugin. Should we keep the
> first three ones?

Hmm...you can send all probes in one burst and wait for the first
response. It would be a little bit more noisy but almost as fast as
a single probe.

--Pavel Kankovsky aka Peak [ Boycott Microsoft--http://www.vcnet.com/bms ]
"Resistance is futile. Open your source code and prepare for assimilation."