From: Thor (Hammer of God) (thor@hammerofgod.com)
Date: Thu Jun 23 2005 - 13:06:08 EDT
FPipe does indeed work for this kind of thing... While nc allows you to
change the source, it's still the nc client. FPipe allows you to redirect
whatever client you want to...
I use it all the time (well, alot anyway) for terminal services access on
systems where it is not feasible to have the firewall allow only specific
clients. In these cases, I further obfuscate TS services by only allowing
3389 (or whatever port you change it to) in if it comes from a particular
source port. FPipe allows one to easily set up a secondary relay connection
to a host/port from a specified source port. I've actually been playing
around with all kinds of different services like this, and it's been working
fine. I spend a few minutes in my Blackhat Training talking about this
(configuring ISA)- it's kinda cool to further limit access based on source
address, and can easily be batched to simplify client access.
t
------
*Secure your infrastructure*
Microsoft Ninjitsu: Securely Deploying MS Technologies
security training delivered by Timothy Mullen.
Registration now open for Blackhat Vegas 2005:
http://www.blackhat.com/html/bh-usa-05/train-bh-usa-05-tm.html
----- Original Message -----
From: "Jacob Weeks" <jaweeks@gmail.com>
To: <chris_perst@gmx.de>; <pen-test@securityfocus.com>
Sent: Thursday, June 23, 2005 6:58 AM
Subject: Re: Connecting to different services with source port 53
just a quick search in google for "telnet source port", came up with
some results.. one being
http://www.foundstone.com/index.htm?subnav=resources/navigation.htm&subcontent=/resources/proddesc/fpipe.htm
havn't tried it, so i can't say for sure it'll work. But that has
potential.
Hope that helps.
On 6/23/05, Christian Perst <chris_perst@gmx.de> wrote:
> Hi list,
>
> I'm pen-testing a system and with a normal "nmap -sS" I get no
> response. If I change the source port I could get through to
> the system, as you can see.
>
> 21/tcp open ftp
> 80/tcp open http
> 88/tcp open kerberos-sec
> 135/tcp open msrpc
> 389/tcp open ldap
> 443/tcp open https
> 464/tcp open kpasswd5
> 593/tcp open http-rpc-epmap
> 636/tcp open ldapssl
> 1026/tcp open LSA-or-nterm
> 1029/tcp open ms-lsa
> 1033/tcp open netinfo
> 1720/tcp open H.323/Q.931
> 1723/tcp open pptp
> 3268/tcp open globalcatLDAP
> 3269/tcp open globalcatLDAPssl
> 3372/tcp open msdtc
> 3389/tcp open ms-term-serv
> 6101/tcp open VeritasBackupExec
> 6106/tcp open isdninfo
> 8080/tcp filtered http-proxy
> 10000/tcp open snet-sensor-mgmt
>
> Is there a way, how I can establish a connection using source
> port 53?
>
> Thanks,
> Chris
>
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:54:29 EDT