Re: Sleath ports with Sygate PF
From: Thomas Hertel (Thomas.Hertel_at_gmx.net)
Date: 01/12/04
- Next message: Thomas Hertel: "Re: SPF & versign.com - Who are they..???"
- Previous message: Richard H Miller: "Re: SPF & versign.com - Who are they..???"
- In reply to: Zach: "Re: Sleath ports with Sygate PF"
- Next in thread: Zach: "Re: Sleath ports with Sygate PF"
- Reply: Zach: "Re: Sleath ports with Sygate PF"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Mon, 12 Jan 2004 21:25:27 +0100
"Zach" <zsmith@cox.net.nospam> schrieb:
>
>"Thomas Hertel" <Thomas.Hertel@gmx.net> wrote in message
>news:g0r500p4m821mjauktb1abn2v6fforgsg9@4ax.com...
>> "Zach" <zsmith@cox.net.nospam> schrieb:
>>
lets do this upside down :-)
>I'm not being sarcastic here...if you can answer the above
>questions/observations then I would be most interested in seeing your
>responses.
I am not into religious wars either, and also I am not being
sarcastic, even if my last post may have suggested that. So let me try
and answer those questions.
>> >Well, yes and no. Theoretically, a closed port cannot be accessed but as
>we
>> >all know, a theory is not something set in stone (not yet anyway).
>>
>> Current TCP/IP stacks seem to be ok. I have not heard of any stack
>> that is vulnerable when you try to connect to a closed port.
>>
>
>Just because you haven't heard of it doesn't mean it can't happen. That's
>what I meant by the definition of "theory".
ACK to this one. It could happen, although I personally think that the
chance to see this happen is extremely small. Still, it is certainly
not impossible. Still, everything that does "stealth" your system has
a stack of its own, so this would apply to these products as well.
>Besides, if a hacker knows there is a machine at the address they're scanning, they can try hitting it
>then or save it for later. Who's to say that the machine won't be
>temporarily exposed at a later time (DMZ, router/software failure, opening
>certain ports for whatever reason, etc.).
Actually I would prefer to call them crackers, as the term hacker
stands for a person that really knows how to deal with systems without
necessarily having to be a bad guy.
What I was trying to say is that the cracker will know that there is a
machine out there, whether you stealth or not. If your system was
really not there, the last router would send a "host unreachable"
message back to the sender. If you stealth, the router will still see
your system, as they are not communicating via IP. So it will forward
the package to your system. The router does not care whether your
system replies or not. But as it could deliver the packet, it will not
send the "host unreachable" message back to the sender. Not receiving
that message is thus a clear sign that the router could deliver the
packet to your system - meaning it is there and up and running.
>
>> >A stealthed port does not exist as far as a scan or hacker is concerned
>> >because it can't be seen.
>>
>> Of course it can be seen. Any port scanner will see it. How else could
>> the scanner report this port as being stealthed? And do you really
>> think the bad guys donīt know how to use a port scanner?
>
>I would like to know what the results read that indicate that a machine with
>stealthed ports is present at a particular address. My scans simply show
>"not responding" and this is at both real addresses and fictitious ones.
In this case you are probably using a scanner that does not make a
difference in what it is showing you. There is certainly a difference
in what it received from the target system. Either it received nothing
(stealth) or it received a "host unreachable" from the last router.
Most scanners would differentiate, though, showing you a port as
either closed or stealthed. Try it with shields up on www.grc.com.
<sidebar>
Damn, I am suggesting a site that will tell you that closed is bad and
only stealth is good - I must be an idiot. However, the scan seems to
be ok.
</sidebar>
>>
>> >While I don't use Sygate so I can't comment on
>> >how to go about it, all ports (including 113) are completely stealthed
>> >(using router) on my machine thus making it completely invisible to the
>> >outside world
>>
>> Thatīs kinda funny. How would any server in the world reply to your
>> system if it was invisible? How would you be able to browse the web or
>> to post in this group?
>
>Well, isn't that what the router is for? Doesn't the routing table have
>something to do with this? Why does does my WallWatcher show outbound
>traffic getting out (port 80 for example) and I can cruise the net OK
>because the inbound "matches up" in the table but uninvited inbound is
>blocked?
Again, this is right (except for the routing table, which does not
really deal with this issue). However, in any IP packet you send out,
your IP will be included in the header. This is just because the
server you are addressing needs to have an address to reply to. If you
send a request to any web page, you have to include your IP (your
browser does that for you) because otherwise the server would not know
where to send the page to. The same when you read this newsgroup or
send a mail or whatever. So whenever you are using the internet for
whatever, invisibility is not an option.
A NAT router which you are probably using is solving that to a certain
extend, because it will only propagate its IP address rather than the
local IP address of your system.
Regards
Thomas
-- "The opinions expressed herein are subject to change without notice" Aus dem Copyright-Vermerk einer Studie der Gartner Group Email für Non-Spam: Meine_Initialen_bei_arcendo_punkt_com
- Next message: Thomas Hertel: "Re: SPF & versign.com - Who are they..???"
- Previous message: Richard H Miller: "Re: SPF & versign.com - Who are they..???"
- In reply to: Zach: "Re: Sleath ports with Sygate PF"
- Next in thread: Zach: "Re: Sleath ports with Sygate PF"
- Reply: Zach: "Re: Sleath ports with Sygate PF"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
