Re: Port scan from grc.com fails 1st time passes the 2nd?
From: Moe Trin (ibuprofin_at_painkiller.example.tld)
Date: 03/17/05
- Next message: jason_sweet_at_earthlink.net: "Sonic SOHO3 Firewall Port Forwarding Question."
- Previous message: Alfie: "Norton 2005"
- In reply to: Paul H: "Re: Port scan from grc.com fails 1st time passes the 2nd?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 17 Mar 2005 11:38:53 -0600
In article <nGXZd.183$q92.108@newsfe2-gui.ntli.net>, Paul H wrote:
>As far as I understand, "Stealth" in the context and terminology of a web
>based port scanner is a port on a host/router/Whatever that is both closed
>and invisible to the outside world...but I've been wrong before..;O)
0791 Internet Protocol. J. Postel. Sep-01-1981. (Format: TXT=97779
bytes) (Obsoletes RFC0760) (Updated by RFC1349) (Also STD0005)
(Status: STANDARD)
0792 Internet Control Message Protocol. J. Postel. Sep-01-1981.
(Format: TXT=30404 bytes) (Obsoletes RFC0777) (Updated by RFC0950)
(Also STD0005) (Status: STANDARD)
0793 Transmission Control Protocol. J. Postel. Sep-01-1981. (Format:
TXT=172710 bytes) (Updated by RFC3168) (Also STD0007) (Status:
STANDARD)
1180 TCP/IP tutorial. T.J. Socolofsky, C.J. Kale. Jan-01-1991.
(Format: TXT=65494 bytes) (Status: INFORMATIONAL)
You can find those RFCs at any IETF mirror on the web, such as
http://www.ietf.org/rfc/rfc0000.txt
http://www.faqs.org/rfcs/rfc0000.html
http://www.rfc-editor.org/rfc/rfc0000.txt
http://www.ccd.bnl.gov/network/general/rfc0000.html
http://www.cis.ohio-state.edu/htbin/rfc/rfc0000.html
Replace the four zeros with the FOUR digit document number (0791 not 791).
Ports are either open or closed. They are open when there is some server
program listening to the port. For example port 80 would be open on your
system if you are running a web server. If there is no server program
listening to the port, then the port is closed.
'Stealth' is a marketing term invented by grc.com's Steve Gibson where the
_operating system_ is blocked from returning an ICMP Unreachable (Type 3)
error message to a host that is trying to reach a closed port. He apparently
thinks that by not saying anything, your computer is "invisible". This is
apparently because he never bothered to look at a traceroute output. When
a host is truly not there (turned off or disconnected), the router one
step closer will send an ICMP Host Unreachable error. If that error is not
received, then the destination host exists, but has it's pants down, and is
bending over with it's head in the sand La, La, La, I can't see you,
you must not exist, La, La, La. Some networks block pings (which breaks
the windoze version of "TRACERT"), while others block ICMP outbound. There
are easy ways to detect this, but these require thinking and logic.
Some personal firewalls can be configured to send this 'ICMP Host Unreachable'
message, and that's great. The only problem is that the Host Unreachable
message is coming from the host that is supposed to be unreachable. What
did I say about thinking and logic?
>1st scan using grc.com's Shieldsup reports ports 21,23 and 80 are open
>2nd scan using grc.com's Shieldsup reports all ports stealthed
>Several scans at sygatetech and hackerwatch consistently report these three
>ports are open.
What do you see if you try to telnet (preferred) or point your web browser
at those three ports on localhost (or the specific IP address you have been
testing)? Do you get
[compton ~]$ telnet localhost 21
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
and some welcoming message, or do you get
[compton ~]$ telnet localhost 21
Trying 127.0.0.1...
telnet: Unable to connect to remote host: Connection refused
[compton ~]$
>Are these ports open? If they are then it would seem that ShieldsUp is a
>very dangerous and misleading tool.
Most home firewalls default to logging connection attempts, so they can show
that they are on the job and protecting you from the malicious world. So,
what shows up in your logs? As for the ShieldsUp site, I'd bet if you did
some research at google on that site, or on Steve Gibson, you might find a
lot of opinions both ways.
Old guy
- Next message: jason_sweet_at_earthlink.net: "Sonic SOHO3 Firewall Port Forwarding Question."
- Previous message: Alfie: "Norton 2005"
- In reply to: Paul H: "Re: Port scan from grc.com fails 1st time passes the 2nd?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
