Firewalls and IP ports

Soadyheid · 01-04-2012, 05:26 AM

Hi, I'm trying to communicate behind a firewall on ports 161 and 162 (SNMP and SNMPTRAP ports) without success. I've been told the ports have been opened but need some way of checking this.

The remote server cannot be pinged (disabled no doubt)and I've been told that I should be able to telnet into either port, but again with no joy. Telnet on its own (port 23) doesn't work either, but then, it's port is probably disabled as well.

On a system I can access with the firewall disabled, I can telnet to port 22 (SSH) and get a resopnse. I can also telnet to the hhtp port 80... OK, just a flashing cursor but a response never the less.
Maybe I should be using something other than telnet? Any advice welcomed. Thanks!

Play Bonny!

repo · 01-04-2012, 05:39 AM

Try nmap.

Kind regards

Soadyheid · 01-04-2012, 08:54 AM

Thanks repo!

I'll have a look at that on my test rig, certainly looks interesting. Now the bit I forgot to tell you...

The box I'm trying to telnet from is running Windows server 2003 while the target behind the firewall is running RHEL 5.3 so I supose my question may be more general networking rather than specifically Linux.

I'll re-define the question...

Should you be able to telnet to any IP port and get some sort of response providing the firewall is not blocking that port?
Would the response differ if it were a UTP port rather than a TCP one or doesn't it matter?

Thanks again for your help.

Play Bonny!

agentbuzz · 01-04-2012, 09:46 AM

Soadyheid,
SNMP runs over UDP so, as repo said, you should use nmap. It doesn't sound like you are familiar with nmap, though, so here is how to do a UDP scan. "-vv" gives very verbose output. "-sU" is for a UDP scan. "-P0" tells nmap not to ping the hosts first. Nmap binaries are available for Windows, as well.

Code:

[user@computer ~]# nmap -vv -sU -P0 192.168.1.42

Starting Nmap 5.21 ( http://nmap.org ) at 2012-01-04 08:55 CST
Initiating ARP Ping Scan at 08:55
Scanning 192.168.1.42 [1 port]
Completed ARP Ping Scan at 08:55, 0.02s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 08:55
Completed Parallel DNS resolution of 1 host. at 08:56, 13.00s elapsed
Initiating UDP Scan at 08:56
Scanning 192.168.1.42 [1000 ports]
Increasing send delay for 192.168.1.42 from 0 to 50 due to 259 out of 863 dropped probes since last increase.
Completed UDP Scan at 08:56, 18.78s elapsed (1000 total ports)
Nmap scan report for 192.168.1.42
Host is up (0.023s latency).
Scanned at 2012-01-04 08:55:47 CST for 32s
Not shown: 996 closed ports
PORT     STATE         SERVICE
1027/udp open|filtered unknown
1031/udp open|filtered iad2
1050/udp open|filtered unknown
1900/udp open|filtered upnp

Soadyheid · 01-05-2012, 04:22 AM

Thanks agentbuzz,
I'm working in a very restricted environment and, as mentioned in my original post, I can't ping the target. so...

Code:

Initiating ARP Ping Scan at 08:55
Scanning 192.168.1.42 [1 port]
Completed ARP Ping Scan at 08:55, 0.02s elapsed (1 total hosts)

which appears to be used by nmap in your code clip above, probably wouldn't work.

Should I get some sort of response if I try to telnet to one of the SNMP ports? (161,162)

Play Bonny!

agentbuzz · 01-05-2012, 07:40 AM

Soadyheid,
nmap told me that it was doing an ARP ping scan because I was scanning a local address on the same Ethernet LAN. If it had been an Internet IP, you would see something like the following:

Code:

[user@computer]# nmap -vv -sU -P0 xxx.xxx.xxx.xxx

Starting Nmap 5.21 ( http://nmap.org ) at 2012-01-05 06:53 CST
Initiating Parallel DNS resolution of 1 host. at 06:53
Completed Parallel DNS resolution of 1 host. at 06:53, 0.04s elapsed
Initiating UDP Scan at 06:53
Scanning server.domain.com (xxx.xxx.xxx.xxx) [1000 ports]
UDP Scan Timing: About 15.50% done; ETC: 06:56 (0:02:49 remaining)
UDP Scan Timing: About 30.50% done; ETC: 06:56 (0:02:19 remaining)
UDP Scan Timing: About 45.50% done; ETC: 06:56 (0:01:49 remaining)
Discovered open port 53/udp on xxx.xxx.xxx.xxx
Completed UDP Scan at 06:55, 116.17s elapsed (1000 total ports)
Nmap scan report for server.domain.com (xxx.xxx.xxx.xxx)
Host is up (0.090s latency).
Scanned at 2012-01-05 06:53:04 CST for 116s
Not shown: 999 open|filtered ports
PORT   STATE SERVICE
53/udp open  domain

Read data files from: /usr/share/nmap
Nmap done: 1 IP address (1 host up) scanned in 116.34 seconds
           Raw packets sent: 2002 (57.314KB) | Rcvd: 4 (160B)

As you can see, the command "nmap -vv -sU -P0" did a UDP scan. The target is a DNS server. Please try that command.

Telnet will not work for UDP services. It is designed to attempt the three-way handshake, on a service port of your choice, that TCP requires for building a socket: SYN > SYN-ACK > ACK.

You could also try Netcat, if it is installed on your server. If you are allowed to install it, netcat is available in deb and RPM packages, and you can get a Windows Zip file with the one free-standing binary and Hobbit's C source code.

Code:

[user@computer]# nc -v -u -w2 -z localhost 123
Connection to localhost 123 port [udp/ntp] succeeded!

The "-v" makes output verbose, "-u" tells nc to do a UDP scan, "-w" flag defines your timeout value, and "-z" "Specifies that nc should just scan for listening daemons, without sending any data to them." (man nc). Your command would be "nc -v -u -w2 -z target 161-162".