Page 1 of 2 12 LastLast
Results 1 to 10 of 16

Thread: Stealthed?

  1. #1
    Senior Member
    Join Date
    Dec 2003
    Location
    Pacific Northwest
    Posts
    1,675

    Stealthed?

    Good Day,

    For quite some time now I have been contemplating the marketing techniques of various businesses and how they toy with our hopefulness. It doesn’t appear they respect or even acknowledge any hallowed ground! Some fill the airwaves (or in this case your computer screen) with deceptions, while others use half-truths and the like. The ”Stealth” classification of a firewall is a classic example of leaving out a large portion of “the rest of the story” as Paul Harvey would say. After all wouldn’t you like to be completely undetectable to all the predators on the Internet, “Stealthed” if you will? Who wouldn’t? How many benefits could you enjoy if you were actually invisible while surfing the Net? Thus the gambit.

    My objective here is not to necessarily bash those that suggest the claim. But rather, to help clarify the parameters of that classification and illustrate where I believe you really stand in relation to this categorization. Hopefully the follow-on posts will also provide some additional enlightenment where I may have fallen short.

    To establish a control of sorts, I employed one home computer with a basic install of Win98SE (it could have been XP, but it doesn’t really matter as long the firewall would install), completed a default install with one of the popular MS compatible software firewalls that tosses packets and controls outbound traffic, then installed Firefox with the default settings. No proxies were employed either.

    Once that was all finished I pulled the computer out from behind a dedicated appliance (no bias there ehhh… ) and hooked it directly to the DSL Modem. It was to be mano a mano. A “Stealth” rated Firewall versus the Internet. After the usual allow/deny routines were completed, I was off to see if I could receive a “TCP & UDP ALL – FILTERED” “No response packets were received” from dslreports and obtain a “PASSED” – “TruStealth Analysis” from GRC. These ratings were obtained with the control configuration so in the next few paragraphs I should provide how they determined that rating


    From dslreports.com (may not be an exact replication because of font, special character usage, etc.):

    This is a basic TCP/UDP port scan. The TCP (full connect) scan starts first, and results are shown as ports are found.

    The UDP scan goes next and must complete, before any results are shown.

    The maximum test duration is 60 seconds for the TCP scan and 60 seconds for the UDP scan.. Firewall software or hardware may cause the scans to exceed the time limit and be terminated.

    Key to table
    From scans done in the last 24 hours, we show the microsoft PCs that export NETBIOS information to the world. These NETBIOS names provide clues to the logged in user or role of the computer.

    means we were able to negotiate a connection to the disk of that computer, almost certainly this was not expected by the owner.

    means we could see a range of NETBIOS services (disks, printers and IPCs) offered, and although a guest account was not available, it may not be hard to crash or destabilize or guess passwords on this PC.

    monitor.dslreports.com scanning XX.XX.XX.XX
    does NOT respond to a ICMP ping
    does NOT respond to a TCP ping
    does NOT respond to a UDP ping
    testing TCP ports with SYN packets
    data on 0 ports collected
    testing UDP ports for echos
    Scan complete.
    Open TCP port 139 was NOT seen
    microsoft netbios check skipped

    Press results button.

    Your Results for this scan

    Conclusion:
    Healthy Setup! We could detect no interesting responses from any of the commonly probed TCP and UDP ports. It would be difficult for an attacker to know where to start without further information.

    From grc.com (may not be an exact replication because of font, special character usage, etc.):

    Checking the Most Common and Troublesome Internet Ports

    This Internet Common Ports Probe attempts to establish standard TCP Internet connections with a collection of standard, well-known, and often vulnerable or troublesome Internet ports on YOUR computer. Since this is being done from our server, successful connections demonstrate which of your ports are "open" or visible and soliciting connections from passing Internet port scanners.

    Your computer at IP:
    XX.XX.XX.XX
    Is being profiled. Please Stand by…

    - - - - - - - - - -

    Total elapsed testing time: 5.006 seconds

    “PASSED” TruStealth Analysis “PASSED”

    Your system has achieved a perfect "TruStealth" rating. Not a single packet — solicited or otherwise — was received from your system as a result of our security probing tests. Your system ignored and refused to reply to repeated Pings (ICMP Echo Requests). From the standpoint of the passing probes of any hacker, this machine does not exist on the Internet. Some questionable personal security systems expose their users by attempting to "counter-probe the prober", thus revealing themselves. But your system wisely remained silent in every way. Very nice.
    As indicated above, the sites employed TCP/UDP Port Scans and/or ICMP ECHO Requests, etc., to establish the “Stealth” rating. Although we did receive the rating, they didn’t scan all the ports, only the common ones.

    Regardless, off we venture. Both sites provided some pretty convincing suggestions that I was invisible while online! The first stated that I had a “Healthy Setup! We could detect no interesting responses from any of the commonly probed TCP and UDP ports.” The second stated that the computer has achieved a perfect "TruStealth" rating. What could this lead me to believe? Can’t See Me! It is this very assumption wherein the problem lies. When scanned, the firewall drops the packets and does not respond. However, in accordance with the TCP RFC, RFC 793, etc.; you darn tootin’ there are anticipated responses to those scans! And here are some of those responses for a few of the scan types:


    TCP Connect, SYN Packet sent – Anticipated Response: SYN/ACK.

    TCP SYN (half-open scan), SYN Packet sent to a particular port – Anticipated Response: SYN/ACK or RST/ACK.

    TCP Xmas Tree, FIN, URG, and PUSH packet to a particular port – Anticipated Response: RST if closed.

    UDP, UDP packet to a particular port – “ICMP port unreachable” if closed. One of the few that may not respond if the port is in fact open.


    Now granted some of the scans over the Internet are just tossed out there with the deviant fishing in the IP pond hoping he/she will land the catch of the day. However don’t believe for a moment that your existence isn’t known. The dark side is also scanning specific IP Addresses and when they don’t receive the anticipated response…well Tiger Shark said it best the other day, “You know damn well the port is there because you know the computer is there”.

    At this point we could even toss out the Port Scans and with only a small amount of RECON or “Footprinting” your presence could be known. How? Folks appear to be pretty good about not revealing too much personal information in the Chat Rooms or Forums. However the same cannot be said about their personal web pages. It’s truly surprising what you can learn from them; actual names, photos, and the like! Seems this is where they like to strut their stuff. In some cases you might as well of cooked dinner for them. Did you also leave any critical information in the HTML source? Additionally, if your site is www.hereIam.net, what will a Lookup provide?

    On another thread I made the following comment, “Most of the time you can't see a fart, however your other senses will appraise you of it's presence.” Pretty good analogy I think! Even though your firewall is dropping packets and you believe you are invisible, your computer is broadcasting information. To prove this point, it’s time for a forum field trip. Open another browser window and let’s go visit the following Web Site: Click Here. Any of that stuff look familiar? Here’s the information on the Win98 Box:


    Info obtained by PHP on the server:

    IP: XX.XX.XXX.XXX

    Hostname: XX.XX.XXX.XXX.ima.goodguy.net

    Operating System: Win98

    Entire User Agent String: Mozilla/5.0 (Windows; U; Win98; en-US; rv: 1.7.12)
    Gecko/20050915/Firefox 1.5.0.1

    Referrer:

    Remote Client Port:


    Info obtained by JavaScript on the client:

    Java Enabled: True

    Browser: Netscape

    Browser Version: 5.0 (Windows; en-US)

    Platform: Win32

    CPU Class: Undefined

    Plugins:
    Mozilla Default Plug-in
    QuickTime Plug-in 6.4
    Java™ 2 Platform Standard Edition 5.0
    Adobe Acrobat

    Resolution: 1024x768

    Color Depth: 32


    “HTML Referring” obtained your information. Obviously Irongeek is a good source for the “How to” with this and I thank him for this use of his site. Also another reference on the particulars of how a Web Site obtains that information can be found Here. It would also be worth your while to review their section on Internet Cookies. Those cookies and your forum sessions can be hijacked which could result in someone logging into your accounts! Now that’s even more comforting.


    Still feel “Stealthed”? I don’t. It’s time to clean that non-sense off the hard drive.

    cheers
    Connection refused, try again later.

  2. #2
    Senior Member nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,188
    Hmmm,

    I have wondered what the response would be if an IP address was scanned and there really wasn't a computer there.

    The reason I asked was that my ISPs allocate a new IP address each time you connect to them. At any point in time they will have a fair number of addresses that have not been allocated.

    Would that look any different from an IP address that had been allocated but was supposedly "stealthed"?


  3. #3
    Senior Member
    Join Date
    Dec 2003
    Location
    Pacific Northwest
    Posts
    1,675
    Hey Nihil,

    More frequently than I desire, my so called dynamically assigned IP has become more like semi-static. Although I don’t reboot the DSL Modem that often, however when I do, I am receiving the same IP quite frequently (And it's assigned by a major company).

    Just happens I was reading another post and found the same thing indicated. I don't know much about the reputation of the Register but here’s part of the info:

    But as broadband connections have become inexpensive and pervasive, we are increasingly being tracked by our IP addresses at home. If you have high speed internet at home, odds are your IP address is relatively static now - cable and DSL modems are often assigned the same IP address for up to a year. Website owners can track your repeat visits much more easily - what time you arrived, how long you stayed, and how often you come back. Nothing new here. Many of us disable cookies in our browsers too, but that semi-static IP address at home can have just as big an impact on your privacy as cookies do.
    Source

    cheers
    Connection refused, try again later.

  4. #4
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    Johnno,

    Technically, a computer that doesn't exist would be seen as "All ports Filtered", because no response could be elicited from any port because they aren't there thus appearing to be a firewall dropping the packets.

    I think by the fact that Relyt quoted me, (thanks mate), that most here know that this is a huge bugbear of mine... This is what makes me laugh hard:-

    Total elapsed testing time: 5.006 seconds

    “PASSED” TruStealth Analysis “PASSED”
    Phhht... Say what???? In 5.006 seconds GRC scanned my entire box, TCP, UDP and ICMP across the internet and has determined that the box doesn't exist. Damn, that man is a genius. 65,355 ports, twice, (TCP and UDP remember), in 5 seconds... quite remarkable. No it's not, a few years ago I did a packet capture on GRC to see what it was they did do... It wasn't very much at all... Certainly, in the sense of _knowing_ whether a computer was there or not it was dismally lacking. GRC checks a few, and I mean a few, of the common ports with a heavy emphasis on NetBIOS, (because that's where his "scanner" was born out of IIRC), and then he makes his "proclaimation". Despite the fact that every Trojan in the world could be listening on any port it likes other than the few he tests he still proclaims you as safe. And that's what bugs the bejeebers outta me. Poor old Joe Public just got a clean bill of health just the same as he does from his Dr. and so he's happy till his next annual physical - all the while the cancer is eating away at him because, like GRC's scan, the Dr. doesn't test for everything in the annual physical - just the common things...

    Now let's compare the blurbs of the two "providers" used.

    DSLReports stated:-

    Conclusion: Healthy Setup! We could detect no interesting responses from any of the commonly probed TCP and UDP ports. It would be difficult for an attacker to know where to start without further information.
    Ohh.. Look... Look... That looks quite "honest"... It states it could _detect_ "no interesting responses"... That's fair. But it goes on... "from any of the _commonly_ probed...". There, see.. No hype.. DSLReports states up front that it didn't do everything... Just the common ports. Then it says the last sentence... Which is absolutely accurate...

    Ok... Let's look at GRC...

    Your system has achieved a perfect "TruStealth" rating. Not a single packet — solicited or otherwise — was received from your system as a result of our security probing tests. Your system ignored and refused to reply to repeated Pings (ICMP Echo Requests). From the standpoint of the passing probes of any hacker, this machine does not exist on the Internet. Some questionable personal security systems expose their users by attempting to "counter-probe the prober", thus revealing themselves. But your system wisely remained silent in every way. Very nice.
    Now... Everyone take a deep breath please.... Can you smell the bullshit too???? I don't think I need to take it apart piece by piece - we're all smart enough to see the difference.

    Where I come from the difference is called "responsibility"... GRC falls sadly short... Funnily enough I do believe it was dear Mr. Gibson that coined the term "Stealth"... Now it's getting a bit worn out he's hyped it up again - now it's TruStealth... 'Nuff said?
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  5. #5
    Senior Member nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,188
    Thankyou Gentlemen,

    That has clarified things for me. I was aware that this "stealth" thingy was not what it was made out to be. Either the computer is there or it is not.

    It seems to be one of those "security through obscurity" concepts? you are relying on the fact that a computer with a firewall that is dropping the packets "looks like" an unassigned IP address. So, a skiddie scanning a large block of IP addresses will presumably "see" a fair number of these and not know the difference at first glance?

    You are then relying on laziness, and hoping that they go for "more interesting responses"

    This is obviously no defence against a considered and determined attack?

    Relyt thanks for that, I do read the Register, as it is "local" to me and has all sorts of interesting stuff.

    I have been looking at what my ISP does regarding my IP address. After our discussion last night, I quickly disconnected and reconnected, and got the exact same IP. Now, I always turn my machines off at night, so when I log on today, I find that I have a different addy. This is consistent behaviour, although not guaranteed. Over here you have to pay extra if you want a static IP, and they would probably charge you at business rates.

    I think that some providers say "dynamic" when they mean that "if we have to fix a server you may not get the same one again"

    AFAIK, cable over here generally has effectively got a static addy, but not guaranteed unless you pay extra.

    The 56.6 dial-up is certainly dynamic, even if you drop the connection for a few seconds. I wonder if that might have something to do with the business model? We have "free ISPs"........they provide the service for free and get paid by the telcos, based on usage. We pay our telcos for the phone connection.

    You can, of course get a pay for, fixed charge subscription account, that includes the phone element, but I have never had one so I don't know about IP allocations there. I suspect it is the same as the "pay as you go" from the billing mechanism.

    Once again,

    thanks guys,

    Johnno

  6. #6
    Senior Member
    Join Date
    Dec 2003
    Location
    Pacific Northwest
    Posts
    1,675
    Thanks for the comments Tiger & Nihil,

    I had a dream last night that I was traveling down a major interstate hiway (the Internet) and took an exit(entered his url) to get some information. Just as I entered the off-ramp I could see that the circus was in town. There were bright lights, things spinning around, claims of a lion tamer, all sorts of things, and even fireworks! Based on all the advertising, it seems like everything would be on the up and up. However right in front of the big top, was a medicine man promising to cure everything that ails you. And one potion he was pushing was his rare "TruStealth Oil". Just a little of this and you would be invisible and be able to move around freely and no one would be able to detect your presence....

    cheers
    Connection refused, try again later.

  7. #7
    Senior Member JonnyFrond's Avatar
    Join Date
    Jan 2006
    Posts
    238
    Two excellent threads in one day, I feel privelidged. This is a subject that I have never been able to understand in principle. I don not understand so much of the techy stuff yet (but that is changing) but in principle stealth of a computer does not make sense. Stealth implies hidder from detection, right. But where ever you go, doesn't your ISP log your IP address and keep logs by Law.

    Now as you guys have been saying here, you don't have to be able to see a fart to know it is there. Now surely and IP address with no computer behind it is just a number right, well why anyone log an empty number? it would be like me making up random phone numbers and just writing them down in a book; no use to anyone. Yet when I pick up the phone, I can tell if someone has phoned me by dialing a number, sometimes I will get the number, and sometimes it will not be available, but it is still there. I don't get random phone numbers.

    Now when I did some of these online scans on my pc, they all came back as brilliant nicely stealthed. But that is like going up to someone in camoflage, and saying nice clothes.

    This is good to know, there is too much BS flying around the internet at the moment, not only mis information, simple ignorance of info, but dis information, wrong information dished out on purpose to throw people off track - a concept I learned about from Robert Anton Wilson the illuminati author. How you can tell whether or not information is true or not is often down to interpretation, but a good questioning of the subject I think is a good healthy way to live to enhance experience in general.

    Thanks for bringing this to light.

    One question now come to my mind on a more technical point. When ever I have contacted my ISP, they always go on about how a static IP address is better. But that just means you are easier to find no?

    yours conspiratorially
    Jonny Frond 002 and a half.
    Sarcasm is a way of life

  8. #8
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    If your firewall properly _drops_ everything inbound then your computer would appear not to be there... But it only takes one response to something to give that away. Remember also, you might have given your computer's prescence away in other ways such as visiting a web site. That would tell me you do exist so, knowing that, your properly configured firewall showing nothing there tells me that you have a properly configured firewall... so I need to find another way to attack you... or move on to lower hanging fruit...
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  9. #9
    Some Assembly Required ShagDevil's Avatar
    Join Date
    Nov 2002
    Location
    SC
    Posts
    718
    Relyt, great post bud. Gotta love the jargon people love to flind around these days. But of course, you won't be able to see this post because according to most online security tests, not only am I stealthed, my computer doesn't exist, and I'm actually edger allen poe.
    Seriously though, one site that opened my eyes was Gemal/Browser Spy . Browsers transmit a wealth of information that people don't know or don't care to know. There is a neccessary evil out there called javascript. Ask the common user what is javascript is, and they'll most likely respond "is that the stuff I get in my email junk box?" Even with my nice little NoScript! add-on to firefox, this site can still determine a fair amount of information about my computer. So, the solution seems simple...disable javascript and anything else that reveals information about your computer!. Sure. Using that logic, If I want to avoid getting speeding tickets, all I have to do is take the wheels off my car!.
    In all seriousness though, it's irritating that sites are duping people into thinking they're safe when they're not or that they're invisible, etc. I'm glad you brought it up. If people want stealth, I suppose they could use a proxy but even then, it's not true stealth. Maybe a wifi enabled laptop, a car, and a MAC spoofing program?. I don't know.
    I guess my only advice for people who want true stealth is to use some kind of IP configuration program, release their IP and *poof* they're stealth! NO more IP!
    ....no more internet connection either but, let's not get too technical

    Btw, for those of you who want to have fun. You can use the add-on User Agent Switcher to send false information to sites you visit. I believe it only works with FireFox and Mozilla though. Originally intended to increase functionality, it's still fun to see some sites comes up with incorrect information about your computer. (By messing with a couple fields, I was able to trick a few sites into reporting that I was using Windows 98 and Opera).
    The object of war is not to die for your country but to make the other bastard die for his - George Patton

  10. #10
    Senior Member
    Join Date
    Nov 2005
    Posts
    115
    Correct me if i'm wrong, but isn't a "stealth" rule on a firewall a standard type of rule? Its used as a part of deny by default and allow by exception kinda thinking?

    It sounds likesome marketing ditz has got a hold of this and extrapolated for all non-technical users, perverting the actual meaning of the word.

    Cheers,

    aL

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •