[ale] Nmap + filtered ports

H. A. Story adrin at bellsouth.net
Sat Dec 17 12:39:00 EST 2005


Brian MacLeod wrote:

>
>
> On 12/16/05, *Chris Ricker* <kaboom at oobleck.net 
> <mailto:kaboom at oobleck.net>> wrote:
>
>
>     That's the whole point -- you have to return something if you want
>     it to
>     look "normal"
>
>     If you connect to a normal, unfiltered port with nothing listening
>     on it,
>     a compliant TCP/IP stack does not drop your connecting packet on the
>     floor. Instead, it returns a response that lets you know there's no
>     service listening on that port:
>
>     * for TCP, it returns a TCP reset
>
>     * for UDP, it returns an ICMP port unreachable
>
>     By using the "-p tcp -j REJECT --reject-with tcp-reset" or "-p udp -j
>     REJECT", your filter response is the same as an unfiltered,
>     unbound port's
>     response
>
>     That's not to say an "iptables -p tcp -j REJECT --reject-with
>     tcp-reset"
>     is undetectable, just that it's a lot less obvious than an
>     "iptables -p
>     tcp -j DROP". Whether that's good or bad is situation-dependent and
>     opinion-dependent ;-)
>
>
>
> Right, I think I understand this.  But the flip side to this is that 
> the attacker now knows that there is a machine there, whereas if you 
> drop the packet, he doesn't know whether it is because of a firewall 
> dropping packets or because it is an unused IP address.  If my 
> assumption is correct, hackers are not going to want to investigate 
> this further since it could be a waste of time.
>
> Or am I not understanding this correctly?
>
>------------------------------------------------------------------------
>
>_______________________________________________
>Ale mailing list
>Ale at ale.org
>http://www.ale.org/mailman/listinfo/ale
>
Don't you remember "War Games" the movie?  I hope I got the name right.  
You start the modems on a dial up script and go to work/school.   No 
time wasted.  Then come back a thumb through the logs.  Or do a script 
that takes you to points of interest.   Same can be said for reviewing 
your system logs.  Which is why I won't use a software box as a gateway 
anymore.  I am to busy to keep up with all the hacks and updates needed 
to stay ahead of the script kiddies.   Although,  I would love to play 
with the "tarpit" thing one day.  Some how knowing that I am screwing 
with some ones head and hold their TCP connections hostage, brings a 
smile to my face.

Wonder what would have if I did this on a cooperate network on port 
139......I am thinking pink slip.

Adrin




More information about the Ale mailing list