i have super scan...
What exaclty am I looking for? just open ports on the firewall that shouldnt be?
Printable View
i have super scan...
What exaclty am I looking for? just open ports on the firewall that shouldnt be?
Basically.
(Ok guys, time to see how well I've learned what you taught me!) You've got three port states basically: open (you're a sitting duck), closed (but can be seen and thus broken into), and stealth (you're completely invisible). The goal is to configure a firewall so that you run in full stealth. Look for ports that are visible (open or closed, not stealth), and especially watch for ports that are open, for those are the ones that pose the greatest threat.
Also, it's good to start learning which ports are of particular importance (which ports are popular targets) and what functions various ports normally serve. This is something I have yet to learn myself.
For both of you, some huge port listings:
http://www.iana.org/assignments/port-numbers
http://www.iss.net/security_center/a...ts/default.htm
http://www.chebucto.ns.ca/~rakerman/port-table.html
I am curently running a scan now...the firewall ip is 172.16.x.x so i am running a scan on 172.16.x.x to 172.16.x.254 i came up with 11 ports Open...I dont know what stealth mode is?
or how to configure that in my pix...
Stealth mode simply means your firewall has hidden your ports. If a would-be attacker is scanning for open ports, he'll never see your computer because his SYN packets will be blocked at the firewall and never be responded to with ACK packets (thanks to Tig on my education on that one!). One way to test this is to go to www.grc.com and have them port scan you. It will tell you which ports are open, closed, or stealth. How this is configured depends on your firewall. Different firewalls have different config utilities and options.
I highly suggest reading TigerShark's tutorial on SYN/ACK communication as well.
Stealth is nice, but it's importance is overstated. There are still other ways to find out if someone is online. Someone could run a ping sweep, or scan for a p2p port (ie, 1214 for fasttrack) or another popular port. To me, the IDS portion of a firewall is more important than the stealth aspect.Quote:
Originally posted here by AngelicKnight
Basically.
(Ok guys, time to see how well I've learned what you taught me!) You've got three port states basically: open (you're a sitting duck), closed (but can be seen and thus broken into), and stealth (you're completely invisible). The goal is to configure a firewall so that you run in full stealth. Look for ports that are visible (open or closed, not stealth), and especially watch for ports that are open, for those are the ones that pose the greatest threat.
Also, it's good to start learning which ports are of particular importance (which ports are popular targets) and what functions various ports normally serve. This is something I have yet to learn myself.
Also, outside of a DOS attack, maybe someone could point me in the direction of a good resource detailing how a closed port (one that rejects instead of drops) is going to be exploited faster than a "stealthed" port, once the host is known?
Just a couple of thoughts.
Jason: Unless you intend separating a portion of your internal network from the rest of it then it would appear you are scanning from the inside with those IP addresses. The following address blocks are reserved for private networks and routers on the net will not route packets destined for them.
192.168.xxx.xxx
10.xxx.xxx.xxx
172.16.xxx.xxx through 72.32.xxx.xxx (IIRC)
You need to be at a location remote to your network and know the external address of the firewall to be able to properly scan it.
[Edit]
Angelic: A closed port can't be "exploited" in the traditional sense. It can be used to determine OS type but actual exploits can't work because the packets received on the closed ports are not acted upon. The proper thing for the closed port to do is to simply respond with an RST or RST/ACK.
Keyser: Because the packet is responded to with an RST or RST/ACK the scan tool knows the port's state and can move on. When the packets are dropped the scanner must try several times in case the packets was lost in transit. Each time it tries it must also wait for an allotted period of time before it retries.... Hence, scanning a firewalled machine usually takes quite a bit longer then an unfirewalled machine.
[/Edit]
Read TheHorse13's tutorials on Nmap. He discusses breaking through closed ports using that program.Quote:
Also, outside of a DOS attack, maybe someone could point me in the direction of a good resource detailing how a closed port (one that rejects instead of drops) is going to be exploited faster than a "stealthed" port, once the host is known?
Thank you guys
what exaclty am i doing when i scan from inside the network? it enede up saying i had 17 ports open...what does that mean then?
3 things (2 questions, and a reply)
first - just to clarify, are you scanning internally or externally
second - what kind of router
and
third - it means that you router has those 17 ports open, AND can accept communication on them
Step out of technical thinking for a minute. Think you in your house. To you more doors are open and are accessible because you are inside the house, so you have a much different viewpoint, not to mention you have the keys to everything.
Now, if you're a would-be burglar scouting the neighborhood, you only see things from the outside, and hopefully you don't have the same keys. What doors are "open" to the guy inside might be "closed" to the guy outside. So, if you're checking the security of your house, you begin from the outside.
Such is the same with how you should scan your network for vulnerabilities.
Its a Pix.
I am on the inside.
I just assumed if a door (port) was open from the inside it was also from the outside and vise versa.
This is exactly what I was referring to. Like I said, stealth is nice, but overvalued; a closed port is simply not going to act on the packets. And while it is nice to slow people down, and possibly even discourage them, there are other ways to discover hosts on a network. TheHorse's tut shows nicely how to use results listing "closed" or "filtered" ports to an attacker's advantage, but it does not (that I could see) show how to break-in through a closed port.Quote:
Originally posted here by Tiger Shark
[Edit]
Angelic: A closed port can't be "exploited" in the traditional sense. It can be used to determine OS type but actual exploits can't work because the packets received on the closed ports are not acted upon. The proper thing for the closed port to do is to simply respond with an RST or RST/ACK.
Keyser: Because the packet is responded to with an RST or RST/ACK the scan tool knows the port's state and can move on. When the packets are dropped the scanner must try several times in case the packets was lost in transit. Each time it tries it must also wait for an allotted period of time before it retries.... Hence, scanning a firewalled machine usually takes quite a bit longer then an unfirewalled machine.
[/Edit]
That's interesting. So if that's the case, what's really the point in even going stealth?
What's the point? Heh, some would say marketing.... ;)
Don't get the idea that I think stealthing is bad; it's just that many believe it does really make them invisible (even though we all know obscurity != security, right) and then invincible, since an attacker doesn't know what's there.
Just like Tiger said, it slows scanning quite a bit, and can make certain benefits of scanning harder to come by. But in the end, it is not nearly as effective as it sounds.
That doesn't make any sense, even according to RFC documents.Quote:
But in the end, it is not nearly as effective as it sounds.
1. If your firewall is dropping the ICMP initial ping, then the IP isn't even reconigzed as being online because by dropping the ICMP (rather than denying) it acts like any other IP that literally isn't there.
2. If someone has your IP already, and they try to scan you while you have stealthed ports, those ports are going to respond in the same way as #1. Yes, on some scanners it will come up filtered (nmap), but that is still blocking out a good chuck of port scanners from recognizing you. Set the firewall to drop instead of deny, and even if the scanner sends another one to check transit time it still shows up as the exact same data as a port that literally isn't open. drop == stealthed. It isn't just a marketing term
Drop is completely different than deny.
Because deny means "hello? are you there?" "I'm here, but denying you access" "fsck you!"
Drop means " hello are you there?" "....." "hello?!" "...." "oh well"
edit: On a side note, ever since the 2.4 kernel release of linux, DENY was renamed to DROP (which drops the packets) and REJECT has always been REJECT, but too often confused with DENY.
When I said it's not nearly as effective as it sounds, I did not mean to imply that somehow dropped packets were not being dropped, or however you took it. I simply meant that people who go to grc (or wherever) and say "Wow, I'm stealthed, no one can touch me" or "Man, I am in deep do-do cause I'm not stealthed" are not getting the entire picture. Like I said, stealth (dropping packets) is probably the best option for home users, but does not guarantee invisibility (even if being invisible equalled being secure, which it does not)
Secondly, many firewalls and Windows boxes respond to pings (at least by default) while stealthing your ports, since pings do not use ports. If pings are not being responded to, then yes, obviously IP connectivity doesn't appear to be there, even if it actually is. Whether grc (or other online scans) point this out, I will have to admit I don't know, cause I haven't gone to one of those places in a long time.
Thirdly, I never said drop != stealth; I said being stealthed (dropping) != security. If I know a host is up (by whatever means) then I when I scan, if everything is stealthed but a server is running (p2p, ftp, game, whatever) it will show up anyway (obviously). It I am rejecting, then the scan will show me being up but closed, and they still aren't getting in through a port that either won't accept traffic or doesn't have some app serving on it, without a broken piece of software, in which case dropping or rejecting (once the target is identified) would provide the same level of security anyway.
The long and the short of the stealthed\closed argument is simply this:-
You ain't getting in through this port, period. Go try a different one.
Either way, it's secure.
If your computer is _completely_ "stealthed", (doesn't respond to pings or _any_ other stimulus), then the only advantage you gain is that the attacker can't determine what OS you are using back there. But there may be other ways of doing that via social engineering. Simple closed ports will give the NMaps of this world a better chance at an OS guess but even NMap tells you that it can't make a guess sometimes.