Jesus Gonzalez wrote:
>
> I've been wrestling with this question for some time now, perhaps someone
> (or many) can give me your thoughts.
> There are systems that detect intruders or beak-in attempts, apparently part
> of that "detection" is the identification or logging of a port scanner.
> BUT, there are scanners out there that claim to be "stealth" scanners by
> sending the FIN bit.
This may "stealth" past a basic packet filter, but would still be
detected by an decent firewall or IDS.
> Are there other methods of scanning which truly are stealth, or is it
> currently not possible to port scan in stealth mode?
It's impossible to scan in a complete "stealth" mode as you need some
method of returning responses to the attacking system. A savvy attacker
can however do a pretty good job of hiding their tracks. As an example
I've pasted below a recent posting to Bugtraq. Given the examples, if I
choose a "silent host" that I know has no border protection and does no
logging, I can pretty much scan anyone I want with out fear of being
traced.
Hope this helps,
Chris
-------- Original Message --------
Subject: new tcp scan method
Date: Fri, 18 Dec 1998 07:47:57 +0100
From: antirez <[EMAIL PROTECTED]>
Reply-To: Bugtraq List <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
Hi,
I have uncovered a new tcp port scan method.
Instead all others it allows you to scan using spoofed
packets, so scanned hosts can't see your real address.
In order to perform this i use three well known tcp/ip
implementation peculiarities of most OS:
(1) * hosts reply SYN|ACK to SYN if tcp target port is open,
reply RST|ACK if tcp target port is closed.
(2) * You can know the number of packets that hosts are
sending
using id ip header field. See my previous posting 'about the
ip
header' in this ml.
(3) * hosts reply RST to SYN|ACK, reply nothing to RST.
The Players:
host A - evil host, the attacker.
host B - silent host.
host C - victim host.
A is your host.
B is a particular host: It must not send any packets while
you are scanning C. There are a lot of 'zero traffic' hosts
in internet, especially in the night :)
C is the victim, it must be vulnerable to SYN scan.
I've called this scan method 'dumb host scan' in honour of host
B characteristics.
How it works:
Host A monitors number of outgoing packets from B using id
iphdr.
You can do this simply using hping:
#hping B -r
HPING B (eth0 xxx.yyy.zzz.jjj): no flags are set, 40 data bytes
60 bytes from xxx.yyy.zzz.jjj: flags=RA seq=0 ttl=64 id=41660 win=0
time=1.2 ms
60 bytes from xxx.yyy.zzz.jjj: flags=RA seq=1 ttl=64 id=+1 win=0 time=75
ms
60 bytes from xxx.yyy.zzz.jjj: flags=RA seq=2 ttl=64 id=+1 win=0 time=91
ms
60 bytes from xxx.yyy.zzz.jjj: flags=RA seq=3 ttl=64 id=+1 win=0 time=90
ms
60 bytes from xxx.yyy.zzz.jjj: flags=RA seq=4 ttl=64 id=+1 win=0 time=91
ms
60 bytes from xxx.yyy.zzz.jjj: flags=RA seq=5 ttl=64 id=+1 win=0 time=87
ms
-cut-
..
