PDA

View Full Version : Ports in "closed" state are good choices for "direct connect" shell



b0nd
12-05-2011, 11:22 AM
I have observed that people do not pay attention to the difference between a TCP port in "closed" state and TCP port in "filtered" state.

Target Machine | Firewall | Perimeter Router <---- Attacker

In general case - The port in closed state on Target Machine found by an Attacker sitting outside the network during a port scan is a port that is allowed to listen through the firewall but just that at the moment no daemon is listing i.e. no service is running.
If an attacker manages to slip into Target Machine (e.g. through Web App vulnerability), he could simply run his backdoor (like netcat) and make that listen on "closed" port. Firewall would allow incoming traffic to that port which would be in "open" state now.

Contrary to it, a service might be running on "filtered" port but firewall is not allowing connection to it through cloud.

Depending on the privilege obtained, the attacker could open the port -
If Admin privilege - He could make any port listen
If non-Admin privilege - Any port TCP 1024 onwards

So the Tip here is -> Run a port scanner from outside network on target IP and if found a port in closed state on target IP, try running backdoor in listening mode on that port and you might get lucky.

And I have always found it hard to make client understand the risk associated with "closed" port.

Cheers!

the_empty
12-05-2011, 01:32 PM
Plus 1 to both the points. Specially the second one, client simply do not understand that how closed port detection could be harmful. Moreover most of them behave dumb while putting up the mitigation.

neo
12-05-2011, 05:40 PM
Agree with you bro on the Post

and for this statemente...

And I have always found it hard to make client understand the risk associated with "closed" port.


Well bro, I have seen some people found difficult to make client understand the risk associated with "OPEN" port .... :rolleyes:
LoL