Problem: define stealth.
If stealth = source is undeterminable, then it is difficult, but maybe not
impossible to be stealthy. Of course the stealthieer the scan, the harder it
is to get a return.
If stealth = destination doesn't know it's happening, then NO! because you
have to send some kind of packet. The only truly stealthy way of scanning
someone is to get close enough network wise and then sniff the packetsm, but
that's not a scan.
Think about military hardware, specifically radars. Stealthy scans of the
enemy rely on THEIR emissions, be they radar, radio, visible light,
infrared, etc. Stealth planes don't mind you knowing they just came by and
blew you up, they just hate it when you see them coming.
=========================
Paul H. Gracy
[EMAIL PROTECTED]
phone: 404 705 2873
#include <std.disclaimer>
=========================
> -----Original Message-----
> From: Chris Brenton [SMTP:[EMAIL PROTECTED]]
> Sent: Friday, March 26, 1999 10:44 AM
> To: Jesus Gonzalez
> Cc: [EMAIL PROTECTED]
> Subject: Re: Stealth snooping
>
> Jesus Gonzalez wrote:
> >
> > I've been wrestling with this question for some time now, perhaps
> someone
> > (or many) can give me your thoughts.
> > There are systems that detect intruders or beak-in attempts, apparently
> part
> > of that "detection" is the identification or logging of a port scanner.
> > BUT, there are scanners out there that claim to be "stealth" scanners by
> > sending the FIN bit.
>
> This may "stealth" past a basic packet filter, but would still be
> detected by an decent firewall or IDS.
>
> > Are there other methods of scanning which truly are stealth, or is it
> > currently not possible to port scan in stealth mode?
>
> It's impossible to scan in a complete "stealth" mode as you need some
> method of returning responses to the attacking system. A savvy attacker
> can however do a pretty good job of hiding their tracks. As an example
> I've pasted below a recent posting to Bugtraq. Given the examples, if I
> choose a "silent host" that I know has no border protection and does no
> logging, I can pretty much scan anyone I want with out fear of being
> traced.
>
> Hope this helps,
> Chris
>
>
> -------- Original Message --------
> Subject: new tcp scan method
> Date: Fri, 18 Dec 1998 07:47:57 +0100
> From: antirez <[EMAIL PROTECTED]>
> Reply-To: Bugtraq List <[EMAIL PROTECTED]>
> To: [EMAIL PROTECTED]
>
> Hi,
>
> I have uncovered a new tcp port scan method.
> Instead all others it allows you to scan using spoofed
> packets, so scanned hosts can't see your real address.
> In order to perform this i use three well known tcp/ip
> implementation peculiarities of most OS:
>
> (1) * hosts reply SYN|ACK to SYN if tcp target port is open,
> reply RST|ACK if tcp target port is closed.
>
> (2) * You can know the number of packets that hosts are
> sending
> using id ip header field. See my previous posting 'about the
> ip
> header' in this ml.
>
> (3) * hosts reply RST to SYN|ACK, reply nothing to RST.
>
>
> The Players:
>
> host A - evil host, the attacker.
> host B - silent host.
> host C - victim host.
>
> A is your host.
> B is a particular host: It must not send any packets while
> you are scanning C. There are a lot of 'zero traffic' hosts
> in internet, especially in the night :)
> C is the victim, it must be vulnerable to SYN scan.
>
> I've called this scan method 'dumb host scan' in honour of host
> B characteristics.
>
>
> How it works:
>
> Host A monitors number of outgoing packets from B using id
> iphdr.
> You can do this simply using hping:
>
> #hping B -r
> HPING B (eth0 xxx.yyy.zzz.jjj): no flags are set, 40 data bytes
> 60 bytes from xxx.yyy.zzz.jjj: flags=RA seq=0 ttl=64 id=41660 win=0
> time=1.2 ms
> 60 bytes from xxx.yyy.zzz.jjj: flags=RA seq=1 ttl=64 id=+1 win=0 time=75
> ms
> 60 bytes from xxx.yyy.zzz.jjj: flags=RA seq=2 ttl=64 id=+1 win=0 time=91
> ms
> 60 bytes from xxx.yyy.zzz.jjj: flags=RA seq=3 ttl=64 id=+1 win=0 time=90
> ms
> 60 bytes from xxx.yyy.zzz.jjj: flags=RA seq=4 ttl=64 id=+1 win=0 time=91
> ms
> 60 bytes from xxx.yyy.zzz.jjj: flags=RA seq=5 ttl=64 id=+1 win=0 time=87
> ms
> -cut-
> ..
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
