Port scan question?

[AngelicKnight]

Step out of technical thinking for a minute. Think you in your house. To you more doors are open and are accessible because you are inside the house, so you have a much different viewpoint, not to mention you have the keys to everything.

Now, if you're a would-be burglar scouting the neighborhood, you only see things from the outside, and hopefully you don't have the same keys. What doors are "open" to the guy inside might be "closed" to the guy outside. So, if you're checking the security of your house, you begin from the outside.

Such is the same with how you should scan your network for vulnerabilities.

[Jason1977]

Its a Pix.
I am on the inside.
I just assumed if a door (port) was open from the inside it was also from the outside and vise versa.

[KeyserSoze]

Originally posted here by Tiger Shark

[Edit]

Angelic: A closed port can't be "exploited" in the traditional sense. It can be used to determine OS type but actual exploits can't work because the packets received on the closed ports are not acted upon. The proper thing for the closed port to do is to simply respond with an RST or RST/ACK.

Keyser: Because the packet is responded to with an RST or RST/ACK the scan tool knows the port's state and can move on. When the packets are dropped the scanner must try several times in case the packets was lost in transit. Each time it tries it must also wait for an allotted period of time before it retries.... Hence, scanning a firewalled machine usually takes quite a bit longer then an unfirewalled machine.

[/Edit]

This is exactly what I was referring to. Like I said, stealth is nice, but overvalued; a closed port is simply not going to act on the packets. And while it is nice to slow people down, and possibly even discourage them, there are other ways to discover hosts on a network. TheHorse's tut shows nicely how to use results listing "closed" or "filtered" ports to an attacker's advantage, but it does not (that I could see) show how to break-in through a closed port.

[AngelicKnight]

That's interesting. So if that's the case, what's really the point in even going stealth?

[KeyserSoze]

What's the point? Heh, some would say marketing....

Don't get the idea that I think stealthing is bad; it's just that many believe it does really make them invisible (even though we all know obscurity != security, right) and then invincible, since an attacker doesn't know what's there.

Just like Tiger said, it slows scanning quite a bit, and can make certain benefits of scanning harder to come by. But in the end, it is not nearly as effective as it sounds.

[pooh sun tzu]

But in the end, it is not nearly as effective as it sounds.

That doesn't make any sense, even according to RFC documents.

1. If your firewall is dropping the ICMP initial ping, then the IP isn't even reconigzed as being online because by dropping the ICMP (rather than denying) it acts like any other IP that literally isn't there.

2. If someone has your IP already, and they try to scan you while you have stealthed ports, those ports are going to respond in the same way as #1. Yes, on some scanners it will come up filtered (nmap), but that is still blocking out a good chuck of port scanners from recognizing you. Set the firewall to drop instead of deny, and even if the scanner sends another one to check transit time it still shows up as the exact same data as a port that literally isn't open. drop == stealthed. It isn't just a marketing term

Drop is completely different than deny.

Because deny means "hello? are you there?" "I'm here, but denying you access" "fsck you!"
Drop means " hello are you there?" "....." "hello?!" "...." "oh well"


edit: On a side note, ever since the 2.4 kernel release of linux, DENY was renamed to DROP (which drops the packets) and REJECT has always been REJECT, but too often confused with DENY.

[KeyserSoze]

When I said it's not nearly as effective as it sounds, I did not mean to imply that somehow dropped packets were not being dropped, or however you took it. I simply meant that people who go to grc (or wherever) and say "Wow, I'm stealthed, no one can touch me" or "Man, I am in deep do-do cause I'm not stealthed" are not getting the entire picture. Like I said, stealth (dropping packets) is probably the best option for home users, but does not guarantee invisibility (even if being invisible equalled being secure, which it does not)

Secondly, many firewalls and Windows boxes respond to pings (at least by default) while stealthing your ports, since pings do not use ports. If pings are not being responded to, then yes, obviously IP connectivity doesn't appear to be there, even if it actually is. Whether grc (or other online scans) point this out, I will have to admit I don't know, cause I haven't gone to one of those places in a long time.

Thirdly, I never said drop != stealth; I said being stealthed (dropping) != security. If I know a host is up (by whatever means) then I when I scan, if everything is stealthed but a server is running (p2p, ftp, game, whatever) it will show up anyway (obviously). It I am rejecting, then the scan will show me being up but closed, and they still aren't getting in through a port that either won't accept traffic or doesn't have some app serving on it, without a broken piece of software, in which case dropping or rejecting (once the target is identified) would provide the same level of security anyway.

[Tiger Shark]

The long and the short of the stealthed\closed argument is simply this:-

You ain't getting in through this port, period. Go try a different one.

Either way, it's secure.

If your computer is _completely_ "stealthed", (doesn't respond to pings or _any_ other stimulus), then the only advantage you gain is that the attacker can't determine what OS you are using back there. But there may be other ways of doing that via social engineering. Simple closed ports will give the NMaps of this world a better chance at an OS guess but even NMap tells you that it can't make a guess sometimes.