February 16th, 2006, 12:05 AM
For quite some time now I have been contemplating the marketing techniques of various businesses and how they toy with our hopefulness. It doesn’t appear they respect or even acknowledge any hallowed ground! Some fill the airwaves (or in this case your computer screen) with deceptions, while others use half-truths and the like. The ”Stealth” classification of a firewall is a classic example of leaving out a large portion of “the rest of the story” as Paul Harvey would say. After all wouldn’t you like to be completely undetectable to all the predators on the Internet, “Stealthed” if you will? Who wouldn’t? How many benefits could you enjoy if you were actually invisible while surfing the Net? Thus the gambit.
My objective here is not to necessarily bash those that suggest the claim. But rather, to help clarify the parameters of that classification and illustrate where I believe you really stand in relation to this categorization. Hopefully the follow-on posts will also provide some additional enlightenment where I may have fallen short.
To establish a control of sorts, I employed one home computer with a basic install of Win98SE (it could have been XP, but it doesn’t really matter as long the firewall would install), completed a default install with one of the popular MS compatible software firewalls that tosses packets and controls outbound traffic, then installed Firefox with the default settings. No proxies were employed either.
Once that was all finished I pulled the computer out from behind a dedicated appliance (no bias there ehhh… ) and hooked it directly to the DSL Modem. It was to be mano a mano. A “Stealth” rated Firewall versus the Internet. After the usual allow/deny routines were completed, I was off to see if I could receive a “TCP & UDP ALL – FILTERED” “No response packets were received” from dslreports and obtain a “PASSED” – “TruStealth Analysis” from GRC. These ratings were obtained with the control configuration so in the next few paragraphs I should provide how they determined that rating
From dslreports.com (may not be an exact replication because of font, special character usage, etc.):
This is a basic TCP/UDP port scan. The TCP (full connect) scan starts first, and results are shown as ports are found.
The UDP scan goes next and must complete, before any results are shown.
The maximum test duration is 60 seconds for the TCP scan and 60 seconds for the UDP scan.. Firewall software or hardware may cause the scans to exceed the time limit and be terminated.
Key to table
From scans done in the last 24 hours, we show the microsoft PCs that export NETBIOS information to the world. These NETBIOS names provide clues to the logged in user or role of the computer.
means we were able to negotiate a connection to the disk
of that computer, almost certainly this was not expected by the owner.
means we could see a range of NETBIOS services (disks, printers and IPCs) offered, and although a guest account was not available, it may not be hard to crash or destabilize or guess passwords on this PC.
monitor.dslreports.com scanning XX.XX.XX.XX
does NOT respond to a ICMP ping
does NOT respond to a TCP ping
does NOT respond to a UDP ping
testing TCP ports with SYN packets
data on 0 ports collected
testing UDP ports for echos
Open TCP port 139 was NOT seen
microsoft netbios check skipped
Press results button.
Your Results for this scan
Healthy Setup! We could detect no interesting responses from any of the commonly probed TCP and UDP ports. It would be difficult for an attacker to know where to start without further information.
From grc.com (may not be an exact replication because of font, special character usage, etc.):
As indicated above, the sites employed TCP/UDP Port Scans and/or ICMP ECHO Requests, etc., to establish the “Stealth” rating. Although we did receive the rating, they didn’t scan all the ports, only the common ones.
Checking the Most Common and Troublesome Internet Ports
This Internet Common Ports Probe attempts to establish standard TCP Internet connections with a collection of standard, well-known, and often vulnerable or troublesome Internet ports on YOUR
computer. Since this is being done from our
server, successful connections demonstrate which of your ports are "open" or visible and soliciting connections from passing Internet port scanners.
Your computer at IP:
Is being profiled. Please Stand by…
- - - - - - - - - -
Total elapsed testing time: 5.006 seconds
“PASSED” TruStealth Analysis “PASSED”
Your system has achieved a perfect
"TruStealth" rating. Not a single packet
— solicited or otherwise — was received from your system as a result of our security probing tests. Your system ignored and refused to reply to repeated Pings (ICMP Echo Requests). From the standpoint of the passing probes of any hacker, this machine does not exist on the Internet. Some questionable personal security systems expose their users by attempting to "counter-probe the prober", thus revealing themselves. But your system wisely remained silent in every way. Very nice.
Regardless, off we venture. Both sites provided some pretty convincing suggestions that I was invisible while online! The first stated that I had a “Healthy Setup! We could detect no interesting responses from any of the commonly probed TCP and UDP ports.” The second stated that the computer has achieved a perfect "TruStealth" rating. What could this lead me to believe? Can’t See Me! It is this very assumption wherein the problem lies. When scanned, the firewall drops the packets and does not respond. However, in accordance with the TCP RFC, RFC 793, etc.; you darn tootin’ there are anticipated responses to those scans! And here are some of those responses for a few of the scan types:
TCP Connect, SYN Packet sent – Anticipated Response: SYN/ACK.
TCP SYN (half-open scan), SYN Packet sent to a particular port – Anticipated Response: SYN/ACK or RST/ACK.
TCP Xmas Tree, FIN, URG, and PUSH packet to a particular port – Anticipated Response: RST if closed.
UDP, UDP packet to a particular port – “ICMP port unreachable” if closed. One of the few that may not respond if the port is in fact open.
Now granted some of the scans over the Internet are just tossed out there with the deviant fishing in the IP pond hoping he/she will land the catch of the day. However don’t believe for a moment that your existence isn’t known. The dark side is also scanning specific IP Addresses and when they don’t receive the anticipated response…well Tiger Shark said it best the other day, “You know damn well the port is there because you know the computer is there”.
At this point we could even toss out the Port Scans and with only a small amount of RECON or “Footprinting” your presence could be known. How? Folks appear to be pretty good about not revealing too much personal information in the Chat Rooms or Forums. However the same cannot be said about their personal web pages. It’s truly surprising what you can learn from them; actual names, photos, and the like! Seems this is where they like to strut their stuff. In some cases you might as well of cooked dinner for them. Did you also leave any critical information in the HTML source? Additionally, if your site is www.hereIam.net, what will a Lookup provide?
On another thread I made the following comment, “Most of the time you can't see a fart, however your other senses will appraise you of it's presence.” Pretty good analogy I think! Even though your firewall is dropping packets and you believe you are invisible, your computer is broadcasting information. To prove this point, it’s time for a forum field trip. Open another browser window and let’s go visit the following Web Site: Click Here. Any of that stuff look familiar? Here’s the information on the Win98 Box:
Info obtained by PHP on the server:
Operating System: Win98
Entire User Agent String: Mozilla/5.0 (Windows; U; Win98; en-US; rv: 1.7.12)
Remote Client Port:
Java Enabled: True
Browser Version: 5.0 (Windows; en-US)
CPU Class: Undefined
Mozilla Default Plug-in
QuickTime Plug-in 6.4
Java™ 2 Platform Standard Edition 5.0
Color Depth: 32
“HTML Referring” obtained your information. Obviously Irongeek is a good source for the “How to” with this and I thank him for this use of his site. Also another reference on the particulars of how a Web Site obtains that information can be found Here. It would also be worth your while to review their section on Internet Cookies. Those cookies and your forum sessions can be hijacked which could result in someone logging into your accounts! Now that’s even more comforting.
Still feel “Stealthed”? I don’t. It’s time to clean that non-sense off the hard drive.
Connection refused, try again later.