okay, so, just wondering what you guys thought about the age old debate in port scans. Do you prefer stealthed or closed or shrouded ports and why? Strictly from an administrators pov.
Printable View
okay, so, just wondering what you guys thought about the age old debate in port scans. Do you prefer stealthed or closed or shrouded ports and why? Strictly from an administrators pov.
If you use NMAP
nmap -p 1-65535 -T4 -A -v -PE -PS22,25,80 -PA21,23,80,3389
Thats me all the time :)
Your question's answer depends on the situation to be frank. I've never done a port scan outside legal boundries.
Stealthed.
Oh I do love these threads...
A port is either opened or closed. You can nat 'em, pat 'em, knock 'em, sock 'em but no matter what you do to them, they are either opened or closed.
That being said, from a port scan point of view. As a SysAdmin - I prefer closed ports.
When I'm wearing other hats, I would prefer open ports.
I love ports 80, 110, 443-5, 3306, 3334-3337. And all things UDP!
The only reason why I'd ever scan anything is because a single threaded syn scan will always go by faster than a multithreaded attempt at actually connecting.
But what about ports 23 and 21 dinowuff!? Also, is there really any advantages to having closed ports? The biggest advantage I can think of when using stealthed and shrouded ports is the headache the attacker receives on your system =P Stealthing/Shrouding your ports also forces the attacker to be a little noisier wouldn't you say and thus easier to for IDS to detect. On my home system, I like to set up my ports to be shrouded, but have it respond on random ports for each scan. Mostly just to mess with peoples heads >.<
The advantage of a closed port is nothing can connect to that port.
Telnet - no use for it
FTP - I haven't tried a bounce scan in years. I don't know if the vulnerability of the FTP protocol that allowed that still exists.
If by messing with people's heads you mean common false positives or at best 0.00001st of a nanoseconds worth of processing then uh... no.Quote:
Mostly just to mess with peoples heads >.<
not talking about the PORT command on FTP dino >.< That is largely blocked anyhow. I was more getting along the lines of liking that port to be open as well as port 23. I am more curious on why you prefer closed ports to stealthed ports though, not open ports >.<
T-Spec, judging by your response, I would say vehemently use closed ports =P
A stealth port is an open port. The age old argument you refer to goes like this:
Side 0
-I want x ports open in case I need to use them, but want to hide them from the Internet - Reason for stealth "if hackers can't see any ports they wont try to attack"
Side 1
- Bullshit only open ports that you need open, when you need them. Reason for closing ports If a port is open you can connect to it.
I am on side 1
IMHO The Sales and Marketing departments of some "Firewall/AV/Security" Vendor came up with this stealth B.S. for no other reason than a marketing strategy. I mean, really, how hard is it to allow everything but ftp on a firewall?
access-list 102 deny tcp any any eq ftp
access-list 102 deny tcp any any eq ftp-data
access-list 102 permit ip any any
30 seconds
So if you are discussing ports, you understand firewalls and how to use them.
If you are discussing ports, because you just left grc... That's another discussion (but I wanted to see if I could get spec fired up)
That Steve Gibson is the 1337357 h4x0r on the planet. I never cease to be amazed by what comes out of that guys mouth. [for one reason or another :rolleyes:]