#1 port redirection switch


Here's my scenario. I am a pentester. I've just found a
misconfigured firewall that allows any UDP traffic
through, so long as it has source port of 53 (this type
of thing is quite common, you also often see source
port 80, 21 etc allowed in the same way.) I've scanned
through the firewall using nmap's -g switch to specify
source port udp/53 and would now like to start banging
on the services I've found, starting with SNMP. What I
want to do is run snmpwalk using netcat to force it to
use source port 53.

I believe it's possible to accomplish this using a
pipeline of multiple netcats and the -e switch, however
I can't get my head round how to do it. It would be
very very nice if it were possible to use a single
switch to turn netcat into an arbitary port
multiplexer. Something like...

snmpwalk sends packets to port 161 on localhost. netcat
hears these packets and sends them straight on to port
161 on the target IP, *setting the source port to 53*
(in my case). It would also need to accept the
returning data and pipe it back into snmpwalk.

Feel free to administer liberal cluestick if I've
missed some obvious docs describing how to do this, if
it is and they exist.
Cluestick coordinates: arlen@hushmail.com .

Many thanks for your time reading the above! and thanks
for the work so far.



  • Logged In: YES

    Greetings Arlen,

    What you want to do is already possible using the possibly
    not well documented "tunnel mode" (unfortunately I don't
    have enough time to take care of documentation. I wish a
    native english speaker had time to complete documentation..).

    Command line should be something like:
    $ netcat -u -L targethost:161 -P 53 -p 161

    see netcat --help for full explanation of the options used
    (please understand the difference between -P and -p, and -S
    with -s in listen/tunnel mode).

    Don't hesitate posting here if you have futher troubles with
    this mode.


    • status: open --> closed