b0nd
12-05-2011, 11:22 AM
I have observed that people do not pay attention to the difference between a TCP port in "closed" state and TCP port in "filtered" state.
Target Machine | Firewall | Perimeter Router <---- Attacker
In general case - The port in closed state on Target Machine found by an Attacker sitting outside the network during a port scan is a port that is allowed to listen through the firewall but just that at the moment no daemon is listing i.e. no service is running.
If an attacker manages to slip into Target Machine (e.g. through Web App vulnerability), he could simply run his backdoor (like netcat) and make that listen on "closed" port. Firewall would allow incoming traffic to that port which would be in "open" state now.
Contrary to it, a service might be running on "filtered" port but firewall is not allowing connection to it through cloud.
Depending on the privilege obtained, the attacker could open the port -
If Admin privilege - He could make any port listen
If non-Admin privilege - Any port TCP 1024 onwards
So the Tip here is -> Run a port scanner from outside network on target IP and if found a port in closed state on target IP, try running backdoor in listening mode on that port and you might get lucky.
And I have always found it hard to make client understand the risk associated with "closed" port.
Cheers!
Target Machine | Firewall | Perimeter Router <---- Attacker
In general case - The port in closed state on Target Machine found by an Attacker sitting outside the network during a port scan is a port that is allowed to listen through the firewall but just that at the moment no daemon is listing i.e. no service is running.
If an attacker manages to slip into Target Machine (e.g. through Web App vulnerability), he could simply run his backdoor (like netcat) and make that listen on "closed" port. Firewall would allow incoming traffic to that port which would be in "open" state now.
Contrary to it, a service might be running on "filtered" port but firewall is not allowing connection to it through cloud.
Depending on the privilege obtained, the attacker could open the port -
If Admin privilege - He could make any port listen
If non-Admin privilege - Any port TCP 1024 onwards
So the Tip here is -> Run a port scanner from outside network on target IP and if found a port in closed state on target IP, try running backdoor in listening mode on that port and you might get lucky.
And I have always found it hard to make client understand the risk associated with "closed" port.
Cheers!