Hi,
Broadly speaking, the way to compare the output from these commands:
nmap -sU <target> nmap -g 53 -sU <target>
If you can see open ports with the latter you can't with the former, there is a problem. The caveat to all this is that nmap UDP scanning is an inexact science because it infers a port is open by the absence of an icmp port unreachable message.
That plugin has a tendency to false positive IMHO. If you have to use a stateless firewall, a reasonable rule to allow incoming DNS responses is "allow udp sport 53 dport > 1023". Now, the plugin will usually trigger on such a rule. The question is how to solve this? I think that rule is correct in almost all circumstances, it's "allow udp sport 53" that must be avoided. I guess using a stateful firewall is the best solution.
Regards,
Paul
Harkaran Bedi wrote:
On a recent Nessus scan - received the following as a security hole:
"It is possible to by-pass the rules of the remote firewall by sending UDP packets with a source port equal to 53."
The device in question is not a firewall, its actually a load balancer. While its possible it may be a false positive, I'd like to confirm this all the same, and understand its impact. I ran nmap scans with the following options:
nmap -g 53 -sU <target>
Is there anyway to confirm this vulnerability? I'm not sure how an attacker could take advantage of this potential vulnerability?
Insight appreciated, Thanks.
_______________________________________________ Nessus mailing list [EMAIL PROTECTED] http://mail.nessus.org/mailman/listinfo/nessus
-- Paul Johnston Internet Security Specialist Westpoint Limited Albion Wharf, 19 Albion Street, Manchester, M1 5LN England Tel: +44 (0)161 237 1028 Fax: +44 (0)161 237 1031 email: [EMAIL PROTECTED] web: www.westpoint.ltd.uk
_______________________________________________ Nessus mailing list [EMAIL PROTECTED] http://mail.nessus.org/mailman/listinfo/nessus
