Analysis and Exploration of Vulnerabilities

Ports

The network stack behaves differently whether the ports are open or closed

  • TCP: replies with a TCP SYN, ACK (if open), or TCP RST (if closed).

  • UDP: replies with a Higher Layer packet (if open), or an ICMP Port unreachable (if closed).

  • ICMP: replies with ICMP Reply (or other).

  • Firewalls also affect replies by altering or filtering packets.

Services typically operate on well-known ports.

  • All ports below 1024 are reserved for popular services.

  • Many ports above 1024 are also reserved.

Impact: Allows knowing which services/hosts are available.

Information leakage

Port scan: try to initiate a connection to a specific port.

  • May effectively initiate the connection or may simply start initiating it.

    • Full Connection: Doing the TCP Three-Way Handshake.

    • Half Connection: Only sending the first TCP SYN.

  • A reply may indicate the existence/absence of a service.

    • Existence if the connection is successful.

    • Absence if an error is received.

  • A non-reply may indicate the existence of a firewall.

Mitigation

Mitigation is limited as it exploits an inherent behavior.

  • The network port state will affect the replies.

Firewalls should observe connect attempts and limit them on the detection of enumeration.

  • Number of connections from a given host.

  • Different ports are being accessed.

  • Session duration.

  • Rate of packets.

  • Specific fingerprints.

PreviousCookiesNextBanners

Last updated