Page 1 of 2 12 LastLast
Results 1 to 10 of 14

Thread: stealth scanning ... what is it good for?

  1. #1

    stealth scanning ... what is it good for?

    yes i do know why should you use it and i know that it is harder to detect, but ask yourself... why would you try to use all the different stealth scans, why would you try to increment packets w/ delay, why would you use it if it's not as reliable as connect scan... if all you can do is go to nearest library or cyber-cafe and run full scan from there and noone will will be ever able to know your real IP or identity ...

    seriously... what are the uses? one that i can think of is if the IDS is set up to drop packets or fake services when it detects a port scan, but if they already went to all the trouble to set that up, they sould be able to detect stealth/fin/.... scans too.

    ideas..?

  2. #2
    Senior Member Maestr0's Avatar
    Join Date
    May 2003
    Posts
    604
    Using different settings in a scan can be used to determine how a perimeter firewall(or any other target) handles different packets and can often identify the type of hardware or software being used along with its rules. This can lead to exposing information which can be used later in an attack (or how to attack un-noticed). Someone who knows exactly what they are looking for may only need to send a few packets here and there and may not really be concerned with mapping all the ports. This is when sending a shitstorm of packets is not in the attackers interest. Besides a stealth scan might be noticed yes, but a normal scan definitely will. Attackers like the element of surprise.
    -Maestr0
    \"If computers are to become smart enough to design their own successors, initiating a process that will lead to God-like omniscience after a number of ever swifter passages from one generation of computers to the next, someone is going to have to write the software that gets the process going, and humans have given absolutely no evidence of being able to write such software.\" -Jaron Lanier

  3. #3
    point taken ... what i'm trying to say is that it is trivial for almost anyone to access another machine and do any footpringting from there...

    so the different types of scans are really used to see how the network behaves ?

  4. #4
    Senior Member
    Join Date
    Jul 2003
    Posts
    114
    In addition to the element of surprise (which should not be taken lightly), there's the issue of convenience. Scanning a network can take a long time, even if you're going at aggressive speeds. If there's not a whole lot of time pressure, you can just set up a paranoid scan and let it run for a couple weeks. No standing out in a public park in the rain, holding an umbrella over your laptop. No shatter attacks on the library computers trying to get r00t, etc.

  5. #5
    Jaded Network Admin nebulus200's Avatar
    Join Date
    Jun 2002
    Posts
    1,356
    There are a few reasons you would consider using stealth scans (for example syn).

    1) You don't have to bother settting up the full connection (looks for either syn-ack or rst as reply and moves on), so it is faster.

    2) Your connection will usually not show up in the system log of the machine scanned (since you never completed the connection), with the exception of the system running some kind HIDS like psionic portsentry.

    3) When combined with other methods, slowing scan rate, randomizing ports, fragmenting packets, and spoofing source, it can be very hard to track down who the real culprit is, TCP connection scans are a dead giveaway from the Network level down to the Host level.

    4) Fin scans at times can bypass inadequate firewall protection (non-stateful firewalls), because it will be treated like part of an existing conversation, kind of the same as setting the source port of the scan as 53, which will confuse older firewalls..


    /nebulus
    There is only one constant, one universal, it is the only real truth: causality. Action. Reaction. Cause and effect...There is no escape from it, we are forever slaves to it. Our only hope, our only peace is to understand it, to understand the 'why'. 'Why' is what separates us from them, you from me. 'Why' is the only real social power, without it you are powerless.

    (Merovingian - Matrix Reloaded)

  6. #6
    Scanning for a small set of ports, as well as having a large time gap between scans is also a measure to avoid being blocked by IDS. The idea is being stealth, isnt it? You may need some more effort to get info, but you make sure it wont bring much attention.
    A small number of connections to a few ports from different locations and at different periods sounds like a better measure than using fake packets, that might easily be spot as such. But sure, It doesn't resume all situations, so I stand that stealth scan has its uses.

    Found in a diary:
    \".... and yes, since i am a l337 hax0r, i am also using vi to write this. ^[[D^[[B^ exit ^X^C quit :x :wq dang it :w:w:w :x ^C^C^Z^D\"

  7. #7
    Senior Member
    Join Date
    Jul 2003
    Posts
    114
    The original question was why would you bother being stealth at all, as opposed to just scanning from a public terminal/open hotspot/etc.

    And any admin that automatically blocks IPs when they detect a port scan is silly. Instant DOS attack - just forge some packets!

  8. #8
    "kind of the same as setting the source port of the scan as 53, which will confuse older firewalls.. "

    can you explain... why is that???

    also since we are on the subject, does anyone know why sometimes syn scan can discover more sockets open than connect???

  9. #9
    Senior Member
    Join Date
    Jul 2002
    Posts
    123
    wow very interesting, i did not know that about syn scans, but recently i have not been able to get Nmap to connect to anything even my self! wish i knew why that was. but, great post nebulus, ya learn somethin new everyday!
    speak your mind becuase those who matter don\'t mind and those who mind don\'t matter

  10. #10
    Elite Hacker
    Join Date
    Mar 2003
    Posts
    1,407
    Originally posted here by Alphaflux
    wow very interesting, i did not know that about syn scans, but recently i have not been able to get Nmap to connect to anything even my self! wish i knew why that was. but, great post nebulus, ya learn somethin new everyday!
    I had the same problem once. Try using less options. My problem was that I was pinging the hosts and they weren't responding, maybe that is your problem too. Also try not resolving hostnames.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •