ipt_pkd is an iptables extension implementing port knock detection. This project provides 3 parts: the kernel module ipt_pkd, the iptables user space module libipt_pkd.so, and a user space client knock program. For the knock packet, it uses a UDP packet sent to a random port that contains a SHA-256 of a timestamp, small header, random bytes, and a shared key. ipt_pkd checks the time window of the packet and does the SHA-256 to verify the packet. The shared key is never sent.
b916e1e9b1aa5e336281e12310107a6a4b78a6bde277739bf28b965060f2df78This document describes a simple and efficient method for random selection of a client port number, such that the possibility of an attacker guessing the exact value is reduced. While this is not a replacement for cryptographic methods, the described port number randomization algorithms provide improved security/obfuscation with very little effort and without any key management overhead. The mechanisms described in this document are a local modification that may be incrementally deployed, and that does not violate the specifications of any of the transport protocols that may benefit from it, such as TCP, UDP, SCTP, DCCP, and RTP.
1ce58606d3eddff9223fe3a488f8c0cc0f6238e521811ffc418b4dd84491b12bFreeBSD Security Advisory - The BIND DNS implementation does not randomize the UDP source port when doing remote queries, and the query id alone does not provide adequate randomization.
fb04e361ce950a2eb37bbee1c2ca35ab538b362079ecb611780d440663993f72ipt_pkd is an iptables extension implementing port knock detection. This project provides 3 parts: the kernel module ipt_pkd, the iptables user space module libipt_pkd.so, and a user space client knock program. For the knock packet, it uses a UDP packet sent to a random port that contains a SHA-256 of a timestamp, small header, random bytes, and a shared key. ipt_pkd checks the time window of the packet and does the SHA-256 to verify the packet. The shared key is never sent.
f420f6fd1d85f1272c4ba95244e27bb7c54c3c5dd2be5df4a01673d04169da58Cisco Security Advisory - Multiple Cisco products are vulnerable to DNS cache poisoning attacks due to their use of insufficiently randomized DNS transaction IDs and UDP source ports in the DNS queries that they produce, which may allow an attacker to more easily forge DNS answers that can poison DNS caches. To exploit this vulnerability an attacker must be able to cause a vulnerable DNS server to perform recursive DNS queries. Therefore, DNS servers that are only authoritative, or servers where recursion is not allowed, are not affected.
d32b92336515b60db970d02f3270a9e590a9813744b8cb3ca422ce491572306eUnhide is a forensic tool to find hidden processes and TCP/UDP ports that are hidden via rootkits, LKMs, or other techniques.
631bc2fb09fa05351273021fd32483e5bf4187dcdc15222335fe2ddc5d146ae3rtpBreak detects, reconstructs and analyzes any RTP [rfc1889] session through heuristics over the UDP network traffic. It works well with SIP, H.323, SCCP and any other signaling protocol. In particular, it does not require the presence of RTCP packets (voipong needs them) that are not always transmitted from the recent VoIP clients.
9ec7276e3775c13306bcf90ba573cfb77b8162a18f90d5805a3c5a288f4466f8Gentoo Linux Security Advisory GLSA 200804-22 - Amit Klein of Trusteer reported that insufficient randomness is used to calculate the TRXID values and the UDP source port numbers. Versions less than 3.1.5 are affected.
f823b54f7bf237110736d4b9631ff06cf6f844a5345ea0258af1485d94cf6deaDebian Security Advisory 1544-1 - Amit Klein discovered that pdns-recursor, a caching DNS resolver, uses a weak random number generator to create DNS transaction IDs and UDP source port numbers. As a result, cache poisoning attacks were simplified.
34b28618f53686ec50a6ed32dab59f6c2876d3f1bfc3242c71bb8b32d6e82dfbThis paper shows that Windows DNS stub resolver queries are predictable - i.e. that the source UDP port and DNS transaction ID can be effectively predicted. A predictability algorithm is described that, in optimal conditions, provides very few guesses for the "next" query, thereby overcoming whatever protection offered by the transaction ID mechanism. This enables a much more effective DNS client poisoning than the currently known attacks against Windows DNS stub resolver.
fcbad979678328d35c5f23e8e94a9efb78263e2ea3c4b81d3d339f74542d6222Ubuntu Security Notice 598-1 - It was discovered that the CUPS administration interface contained a heap- based overflow flaw. A local attacker, and a remote attacker if printer sharing is enabled, could send a malicious request and possibly execute arbitrary code as the non-root user in Ubuntu 6.06 LTS, 6.10, and 7.04. In Ubuntu 7.10, attackers would be isolated by the AppArmor CUPS profile. It was discovered that the hpgl filter in CUPS did not properly validate its input when parsing parameters. If a crafted HP-GL/2 file were printed, an attacker could possibly execute arbitrary code as the non-root user in Ubuntu 6.06 LTS, 6.10, and 7.04. In Ubuntu 7.10, attackers would be isolated by the AppArmor CUPS profile. It was discovered that CUPS had a flaw in its managing of remote shared printers via IPP. A remote attacker could send a crafted UDP packet and cause a denial of service or possibly execute arbitrary code as the non-root user in Ubuntu 6.06 LTS, 6.10, and 7.04. In Ubuntu 7.10, attackers would be isolated by the AppArmor CUPS profile. It was discovered that CUPS did not properly perform bounds checking in its GIF decoding routines. If a crafted GIF file were printed, an attacker could possibly execute arbitrary code as the non-root user in Ubuntu 6.06 LTS, 6.10, and 7.04. In Ubuntu 7.10, attackers would be isolated by the AppArmor CUPS profile.
76971a967007cc526ac3f071c811a22f58d61bf8643d735b0b8e9e0ab5e7fefeCisco Security Advisory - A device running Cisco IOS software that has Internet Protocol version 6 (IPv6) enabled may be subject to a denial of service (DoS) attack. For the device to be affected by this vulnerability the device also has to have certain Internet Protocol version 4 (IPv4) User Datagram Protocol (UDP) services enabled. To exploit this vulnerability an offending IPv6 packet must be targeted to the device. Packets that are routed throughout the router can not trigger this vulnerability. Successful exploitation will prevent the interface from receiving any additional traffic. The only exception is Resource Reservation Protocol (RSVP) service, which if exploited, will cause the device to crash. Only the interface on which the vulnerability was exploited will be affected.
eaab00543556990c9814d3f8fdd5005a6f0b3ae28e6943684965111b23bafee3Cisco Security Advisory - Cisco IOS contains multiple vulnerabilities in the Data-link Switching (DLSw) feature that may result in a reload or memory leaks when processing specially crafted UDP or IP Protocol 91 packets. Cisco has released free software updates that address these vulnerabilities. Workarounds are available to mitigate the effects of these vulnerabilities.
c0d42ecfdbd323b7c72cd98ba5fa908269034f82bd1bcde8170b8fa5f6a55b4eNmap is a utility for port scanning large networks, although it works fine for single hosts. Sometimes you need speed, other times you may need stealth. In some cases, bypassing firewalls may be required. Not to mention the fact that you may want to scan different protocols (UDP, TCP, ICMP, etc.). Nmap supports Vanilla TCP connect() scanning, TCP SYN (half open) scanning, TCP FIN, Xmas, or NULL (stealth) scanning, TCP ftp proxy (bounce attack) scanning, SYN/FIN scanning using IP fragments (bypasses some packet filters), TCP ACK and Window scanning, UDP raw ICMP port unreachable scanning, ICMP scanning (ping-sweep), TCP Ping scanning, Direct (non portmapper) RPC scanning, Remote OS Identification by TCP/IP Fingerprinting, and Reverse-ident scanning. Nmap also supports a number of performance and reliability features such as dynamic delay time calculations, packet timeout and retransmission, parallel port scanning, detection of down hosts via parallel pings.
03bf22ca986ff65536141d78a982e27f1faa86bc10ac98016be4d6d969d1611dDebian Security Advisory 1530-1 - Several local/remote vulnerabilities have been discovered in cupsys, the Common Unix Printing System. A heap-based buffer overflow in CUPS, when printer sharing is enabled, allows remote attackers to execute arbitrary code via crafted search expressions. A double free vulnerability in the process_browse_data function in CUPS 1.3.5 allows remote attackers to cause a denial of service (daemon crash) and possibly execute arbitrary code via crafted packets to the cupsd port (631/udp), related to an unspecified manipulation of a remote printer.
a5eff4c1aab8b289dee26fb4d18a9997f81a42a145ae3628aace65ddeda08dedipt_pkd is an iptables extension implementing port knock detection. This project provides 3 parts: the kernel module ipt_pkd, the iptables user space module libipt_pkd.so, and a user space client knock program. For the knock packet, it uses a UDP packet sent to a random port that contains a SHA-256 of a timestamp, small header, random bytes, and a shared key. ipt_pkd checks the time window of the packet and does the SHA-256 to verify the packet. The shared key is never sent.
3289fff009448b23ae5a1a23ef532cf71037575a42ae74e17ce860cba118e657SUSE Security Announcement - The current security update of cups fixes a double-free bug in the function process_browse_data() that can lead to a remote denial-of-service by crashing cupsd or possibly to a remote code execution. The bug can only be exploited if cupsd listens to 631/udp by crafted UDP Browse packets. Additionally two remote denial-of-service bugs were fixed. The first one can be triggered via crafted IPP packets to use a pointer after it was freed and the second issue is a memory-leak caused by a large number of requests to add and remove shared printers.
1d33e9dc71eee1a911d8e2a1a177892a773eb3fb7cf993243327770428c9fe79Nmap is a utility for port scanning large networks, although it works fine for single hosts. Sometimes you need speed, other times you may need stealth. In some cases, bypassing firewalls may be required. Not to mention the fact that you may want to scan different protocols (UDP, TCP, ICMP, etc.). Nmap supports Vanilla TCP connect() scanning, TCP SYN (half open) scanning, TCP FIN, Xmas, or NULL (stealth) scanning, TCP ftp proxy (bounce attack) scanning, SYN/FIN scanning using IP fragments (bypasses some packet filters), TCP ACK and Window scanning, UDP raw ICMP port unreachable scanning, ICMP scanning (ping-sweep), TCP Ping scanning, Direct (non portmapper) RPC scanning, Remote OS Identification by TCP/IP Fingerprinting, and Reverse-ident scanning. Nmap also supports a number of performance and reliability features such as dynamic delay time calculations, packet timeout and retransmission, parallel port scanning, detection of down hosts via parallel pings.
7d415eb8e6cbd0f6fbc2301ea65c6a6d3580b81085faf0fe42d008638bac12fbMandriva Linux Security Advisory - A flaw was found in how CUPS handled the addition and removal of remote printers via IPP that could allow a remote attacker to send a malicious IPP packet to the UDP port causing CUPS to crash.
12147b573472bdc8bd17888a443b482c258f574cbe5f9670b1dc12fc05b1a2f6Mandriva Linux Security Advisory - Dave Camp at Critical Path Software discovered a buffer overflow in CUPS 1.1.23 and earlier could allow local admin users to execute arbitrary code via a crafted URI to the CUPS service. The Red Hat Security Team also found two flaws in CUPS 1.1.x where a malicious user on the local subnet could send a set of carefully crafted IPP packets to the UDP port in such a way as to cause CUPS to crash or consume memory and lead to a CUPS crash. Finally, another flaw was found in how CUPS handled the addition and removal of remote printers via IPP that could allow a remote attacker to send a malicious IPP packet to the UDP port causing CUPS to crash.
a649ed2550f2724a2be3856c2b5d7185726ab19f41cbc7efcef59a823da612a9rtpBreak detects, reconstructs and analyzes any RTP [rfc1889] session through heuristics over the UDP network traffic. It works well with SIP, H.323, SCCP and any other signaling protocol. In particular, it does not require the presence of RTCP packets (voipong needs them) that are not always transmitted from the recent VoIP clients.
b144cc0483ba3d0bacf2dee2188e20bf5e0c299ef0b72fe3febd124f6abfcf7dfinetd reads a configuration file to see which TCP/UDP ports to listen on, or which UNIX path names to create and listen on. When a connection is made to one of these ports, finetd launches an application to handle the request. finetd supports IPv4, IPv6, and UNIX domain sockets. Stream, Datagram (dgram), and Seqpacket socket types are supported.
ffbbecd1646f88b6108b6b0e4cbbda75b90f29ca74fedb0e6c0c9bcf6faef62eNmap is a utility for port scanning large networks, although it works fine for single hosts. Sometimes you need speed, other times you may need stealth. In some cases, bypassing firewalls may be required. Not to mention the fact that you may want to scan different protocols (UDP, TCP, ICMP, etc.). Nmap supports Vanilla TCP connect() scanning, TCP SYN (half open) scanning, TCP FIN, Xmas, or NULL (stealth) scanning, TCP ftp proxy (bounce attack) scanning, SYN/FIN scanning using IP fragments (bypasses some packet filters), TCP ACK and Window scanning, UDP raw ICMP port unreachable scanning, ICMP scanning (ping-sweep), TCP Ping scanning, Direct (non portmapper) RPC scanning, Remote OS Identification by TCP/IP Fingerprinting, and Reverse-ident scanning. Nmap also supports a number of performance and reliability features such as dynamic delay time calculations, packet timeout and retransmission, parallel port scanning, detection of down hosts via parallel pings. Full changelog available here.
efc986ad0288c71cdaf690b17d4a5a08445bbda1c1ab4c560f8e575a1dd7f6e5This document describes a simple and efficient method for random selection of a client port number, such that the possibility of an attacker guessing the exact value is reduced. While this is not a replacement for cryptographic methods, the described port number randomization algorithms provide improved security/obfuscation with very little effort and without any key management overhead. The mechanisms described in this document are a local modification that may be incrementally deployed, and that does not violate the specifications of any of the transport protocols that may benefit from it, such as TCP, UDP, SCTP, DCCP, and RTP.
f6784276bc77577f72c09f503deab41ce6fabf7bb9a8b44edd61410211141a2cPKMap is a functional packet manipulator/injector. It currently supports ETH/IP/TCP/UDP/ICMP/(R)ARP.
766b8918be4c6c569ead7cdfcca4cf9d11dad30b18816b81fc5ab9f016622d9e
© 2024 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed