Re: Stealth vs. Blocked

From: JR (notlikely@nowhere.com)
Date: 01/31/03


From: "JR" <notlikely@nowhere.com>
Date: Fri, 31 Jan 2003 13:30:58 -0500


"SysAdm" <wjones@sitesmith.com> wrote in message
news:b1eeo0$18j$1@venus.btinternet.com...
>
> "JR" <notlikely@nowhere.com> wrote in message
> news:UNy_9.67425$lj.2698052@read1.cgocable.net...
> > I have recently seen a lot of discussion involving the pros and cons of
> > "stealthed" vs "blocked" ports.
> > I have always been in favor of being blocked AND stealthed as opposed to
> > just blocked, but I'm always open to new ways of thinking.
> > Just for the hell of it, I went out on a standard XP box and pinged a
main
> > firewall that is "stealthed" (does not respond to ICMP), and promptly
> rec'd
> > the good ol' "Request timed out"
> > Then I powered down the cable modem to the main firewall, pinged it
again,
> > and once more rec'd "Request timed out"
> > Script kiddies often tend to start their days with ping scans.
> > Seriously, how do I know, with the above scenario, if a host/firewall is
> up
> > or down? I must be missing something.
> > JR
>
> ICMP as a protocol provides more than just echo reply and echo request.
So
> if a device does not respond to echo requests, this does not mean an
ardent
> hacker will give up.

I understand that part. If I know an IP does exist, the lack of response is
not going to stop me, (during security testing).

>
> Stealth, does not just apply to ICMP.
> With the use of a fingerprinting tool such as NMAP, you can determine
remote
> OS and potentially patch levels, just by the return (or not) of packets.
> This is exactly the reasoning behind things like FIN scans, If the tcpip
> interaction provided by a service which sits on a tcp port is written to
RFC
> specs, you should expect an out-of-band FIN packet to be silently
discarded.
> This is but one example of intelligence collection, which is the first
part
> of any (real) hacking prognosis.
>
Again, I understand what you are saying (I use nmap and nessus all the
time), except most of the discussions I have seen just involve ICMP,
specifically requests and replies (or the lack of)

> SysAdm
>
>
>



Relevant Pages

  • Re: Stealth vs. Blocked
    ... > ICMP as a protocol provides more than just echo reply and echo request. ... you should expect an out-of-band FIN packet to be silently ... I understand what you are saying (I use nmap and nessus all the ...
    (alt.computer.security)
  • Re: Stealth vs. Blocked
    ... ICMP as a protocol provides more than just echo reply and echo request. ... Stealth, does not just apply to ICMP. ... you should expect an out-of-band FIN packet to be silently discarded. ...
    (comp.security.firewalls)
  • Re: Stealth vs. Blocked
    ... ICMP as a protocol provides more than just echo reply and echo request. ... Stealth, does not just apply to ICMP. ... you should expect an out-of-band FIN packet to be silently discarded. ...
    (alt.computer.security)
  • Re: paging all socket geniuses
    ... delay when WINS relays a request to DNS. ... or intermediate device blocks icmp *echo request* and blocks or does ...
    (comp.lang.lisp)
  • Re: OpenVPN works on one host on subnet, not others
    ... However I can't ping any other host on the subnet. ... > tcpdump: listening on de1 ... > hoover: icmp: echo request ...
    (comp.unix.bsd.openbsd.misc)