Jesus,
If you send a FIN packet to a host it won't return a RST packet if the port
is active, it will simply drop it. That's the whole problem. Stealth
scanners rely on sending this arbitrary FIN packet to a port and not
waiting for a response to determine that it is listening. Only if the port
is closed a RST packet is returned.
Hope this helps,
Marcel Gerardino
Seguridad de Informaci�n
CODETEL
[EMAIL PROTECTED]
PGP Fingerprint: A127 13FD 0B08 8C78 DEF5 FF3D B921 1793 E77F C660
Jesus Gonzalez <[EMAIL PROTECTED]> on 03/23/99 05:59:06 PM
(Embedded image moved to file: pic18075.pcx)
To: [EMAIL PROTECTED]
cc: (bcc: Marcel Gerardino/CODETEL)
Subject: Stealth snooping
I've been wrestling with this question for some time now, perhaps someone
(or many) can give me your thoughts.
There are systems that detect intruders or beak-in attempts, apparently
part
of that "detection" is the identification or logging of a port scanner.
BUT, there are scanners out there that claim to be "stealth" scanners by
sending the FIN bit.
If I understand it correctly, the FIN bit basically states that "this is
the
end of transmission", then the host sends an RST bit. If this is the case,
then how can this be considered stealth since the scanner sending the FIN
bit is a) awaiting the RST response, and b) must have it's IP address in
the
packet?
Are there other methods of scanning which truly are stealth, or is it
currently not possible to port scan in stealth mode?
Any insights to this, or perhaps a better explanation of the FIN bit is
greatly appreciated.
Thanks.
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
(UUEncoded file named: pic18075.pcx follows)
begin 644 pic18075.pcx
M"@4!"`````#!`"L`````````````````````````````````````````````
M```````````````````````````!P@`!````````````````````````````
F```````````````````````````````````````````````````C
`
end
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
