Port scan question?
Page 1 of 2 12 LastLast
Results 1 to 10 of 18

Thread: Port scan question?

  1. #1
    Senior Member
    Join Date
    May 2004
    Posts
    140

    Port scan question?

    i have super scan...
    What exaclty am I looking for? just open ports on the firewall that shouldnt be?
    Romans 7:14-20
    14 We know that the law is spiritual; but I am unspiritual, sold as a slave to sin. 15 I do not understand what I do. For what I want to do I do not do, but what I hate I do. 16 And if I do what I do not want to do, I agree that the law is good. 17 As it is, it is no longer I myself who do it, but it is sin living in me. 18 I know that nothing good lives in me, that is, in my sinful nature. For I have the desire to do what is good, but I cannot carry it out.

  2. #2
    Basically.

    (Ok guys, time to see how well I've learned what you taught me!) You've got three port states basically: open (you're a sitting duck), closed (but can be seen and thus broken into), and stealth (you're completely invisible). The goal is to configure a firewall so that you run in full stealth. Look for ports that are visible (open or closed, not stealth), and especially watch for ports that are open, for those are the ones that pose the greatest threat.

    Also, it's good to start learning which ports are of particular importance (which ports are popular targets) and what functions various ports normally serve. This is something I have yet to learn myself.

  3. #3

  4. #4
    Senior Member
    Join Date
    May 2004
    Posts
    140
    I am curently running a scan now...the firewall ip is 172.16.x.x so i am running a scan on 172.16.x.x to 172.16.x.254 i came up with 11 ports Open...I dont know what stealth mode is?
    or how to configure that in my pix...
    Romans 7:14-20
    14 We know that the law is spiritual; but I am unspiritual, sold as a slave to sin. 15 I do not understand what I do. For what I want to do I do not do, but what I hate I do. 16 And if I do what I do not want to do, I agree that the law is good. 17 As it is, it is no longer I myself who do it, but it is sin living in me. 18 I know that nothing good lives in me, that is, in my sinful nature. For I have the desire to do what is good, but I cannot carry it out.

  5. #5
    Stealth mode simply means your firewall has hidden your ports. If a would-be attacker is scanning for open ports, he'll never see your computer because his SYN packets will be blocked at the firewall and never be responded to with ACK packets (thanks to Tig on my education on that one!). One way to test this is to go to www.grc.com and have them port scan you. It will tell you which ports are open, closed, or stealth. How this is configured depends on your firewall. Different firewalls have different config utilities and options.

    I highly suggest reading TigerShark's tutorial on SYN/ACK communication as well.

  6. #6
    Senior Member
    Join Date
    Mar 2003
    Posts
    135
    Originally posted here by AngelicKnight
    Basically.

    (Ok guys, time to see how well I've learned what you taught me!) You've got three port states basically: open (you're a sitting duck), closed (but can be seen and thus broken into), and stealth (you're completely invisible). The goal is to configure a firewall so that you run in full stealth. Look for ports that are visible (open or closed, not stealth), and especially watch for ports that are open, for those are the ones that pose the greatest threat.

    Also, it's good to start learning which ports are of particular importance (which ports are popular targets) and what functions various ports normally serve. This is something I have yet to learn myself.
    Stealth is nice, but it's importance is overstated. There are still other ways to find out if someone is online. Someone could run a ping sweep, or scan for a p2p port (ie, 1214 for fasttrack) or another popular port. To me, the IDS portion of a firewall is more important than the stealth aspect.

    Also, outside of a DOS attack, maybe someone could point me in the direction of a good resource detailing how a closed port (one that rejects instead of drops) is going to be exploited faster than a "stealthed" port, once the host is known?

    Just a couple of thoughts.

  7. #7
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    Jason: Unless you intend separating a portion of your internal network from the rest of it then it would appear you are scanning from the inside with those IP addresses. The following address blocks are reserved for private networks and routers on the net will not route packets destined for them.

    192.168.xxx.xxx
    10.xxx.xxx.xxx
    172.16.xxx.xxx through 72.32.xxx.xxx (IIRC)

    You need to be at a location remote to your network and know the external address of the firewall to be able to properly scan it.

    [Edit]

    Angelic: A closed port can't be "exploited" in the traditional sense. It can be used to determine OS type but actual exploits can't work because the packets received on the closed ports are not acted upon. The proper thing for the closed port to do is to simply respond with an RST or RST/ACK.

    Keyser: Because the packet is responded to with an RST or RST/ACK the scan tool knows the port's state and can move on. When the packets are dropped the scanner must try several times in case the packets was lost in transit. Each time it tries it must also wait for an allotted period of time before it retries.... Hence, scanning a firewalled machine usually takes quite a bit longer then an unfirewalled machine.

    [/Edit]
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  8. #8
    Also, outside of a DOS attack, maybe someone could point me in the direction of a good resource detailing how a closed port (one that rejects instead of drops) is going to be exploited faster than a "stealthed" port, once the host is known?
    Read TheHorse13's tutorials on Nmap. He discusses breaking through closed ports using that program.

  9. #9
    Senior Member
    Join Date
    May 2004
    Posts
    140
    Thank you guys
    what exaclty am i doing when i scan from inside the network? it enede up saying i had 17 ports open...what does that mean then?
    Romans 7:14-20
    14 We know that the law is spiritual; but I am unspiritual, sold as a slave to sin. 15 I do not understand what I do. For what I want to do I do not do, but what I hate I do. 16 And if I do what I do not want to do, I agree that the law is good. 17 As it is, it is no longer I myself who do it, but it is sin living in me. 18 I know that nothing good lives in me, that is, in my sinful nature. For I have the desire to do what is good, but I cannot carry it out.

  10. #10
    Senior Member
    Join Date
    Jun 2004
    Posts
    460
    3 things (2 questions, and a reply)

    first - just to clarify, are you scanning internally or externally
    second - what kind of router
    and
    third - it means that you router has those 17 ports open, AND can accept communication on them
    [gloworange]find / -name \"*your_base*\" -exec chown us:us {} \\;[/gloworange] [glowpurple]Trust No One[/glowpurple][shadow] Use Hardened Gentoo [/shadow]
    CATAPULTAM HABEO. NISI PECUNIAM OMNEM MIHI DABIS, AD CAPUT TUUM SAXUM IMMANE MITTAM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •