Help with strange scan results please

Discussion in 'other security issues & news' started by operafox, Dec 27, 2005.

Thread Status:
Not open for further replies.
  1. operafox

    operafox Registered Member

    Joined:
    Feb 21, 2005
    Posts:
    24
    Hi guys, I have this strange phenomenon when checking my browser's vulnerability.
    First I do a scan at pcFlank and get a mild result, as
    shown in the picture.
    Then I do some verification by targetting the suspectedly weak ports, and pcflank
    confirms
    I then go to Steve Gibson's ShieldsUp! to see
    what I get, and there I get a perfect stealth result. Same thing when I go over to
    Sygate
    I don't know what to think! Help!
    These differences have been going on for a long while now, but I have absolutely no explanation for
    these.
    I tried it with several firewalls in turn, and always get the same sets of results.
    Any ideas?
    Thanks a lot.

    Edit: :( Can't get my attachments to upload.
    Basically; the results at pcflank are: all stealthed, except for 135, 137, 138, 139 which are closed.
    At GRC: all stealthed, these four included. Stealth again at Sygate.
    Thanks
     
    Last edited: Dec 27, 2005
  2. Brinn

    Brinn Registered Member

    Joined:
    Aug 5, 2004
    Posts:
    181
    Location:
    Canada
    Offhand, the only difference I see with the scans is that Sygate and GRC uses ridiculously high port numbers to scan whereas PCFlank uses a more normal 1024 to 5000 range (I'm guessing the range). Your firewalls may be treating the PCFlank scans as normal traffic and letting them through. Your computer isn't responding to them, so that's good.
     
  3. hardhead

    hardhead Registered Member

    Joined:
    Mar 4, 2004
    Posts:
    292
    Location:
    Blue Ridge, Va
  4. CaptainSnow

    CaptainSnow Guest

    Hello guys
    I ran GRC, and the site scans all ports, one by one, starting from 1 to 1024, which is the "normal range for TCP/IP systems.
    Brinn, why would a firewall let some traffic through when it's a scan that's supposed to be stopped?
    BTW, GRC has a custom ports probe at disposal at the same adress:
    134
    Stealth ingres-net
    INGRES-NET Service

    135
    Stealth dcom-scm
    DCOM Service Control Manager

    136
    Stealth profile
    PROFILE Naming System

    137
    Stealth netbios-ns
    NetBIOS Name Service

    138
    Stealth netbios-dgm
    NETBIOS Datagram Service

    139
    Stealth netbios-ssn
    NETBIOS Session Service

    140
    Stealth emfis-data
    EMFIS Data Servic
     
  5. Brinn

    Brinn Registered Member

    Joined:
    Aug 5, 2004
    Posts:
    181
    Location:
    Canada
    That would be the destination ports for the scans (ie. your comp). I'm talking about the packet source ports.
     
  6. operafox

    operafox Registered Member

    Joined:
    Feb 21, 2005
    Posts:
    24
    Hi. Very interesting thought...
    Why would the firewalls treat any site as normal traffic? Any ideas why the firewalls might react in such a way with some sites? o_O
     
  7. Brinn

    Brinn Registered Member

    Joined:
    Aug 5, 2004
    Posts:
    181
    Location:
    Canada
    Not so much the site but the ports used. And really, a firewall doesn't distinguish between normal traffic and abnormal traffic. It allows and disallows traffic based on its rules. Bad rules = bad results.

    Say your computer is communicating with another on a network. Your computer would likely use a port in the 1024 to 5000 range. The firewall may see this as normal network traffic and let it through because of its default rules. It may not let traffic coming from an unusual port through because of those same rules.

    When I did those scans you listed, the pcflank site used ports in the 3,000 range to scan me. Sygate used ports in the 30,000 to 60,000 range. GRC used ports that were in the 60,000+ range. All were blocked because of my rules.

    This is just a theory I threw together without knowing anything about the firewalls you used and their settings. The ports used by the test sites was the only thing that really stood out at me when I looked at my logs.
     
  8. Notok

    Notok Registered Member

    Joined:
    May 28, 2004
    Posts:
    2,969
    Location:
    Portland, OR (USA)
    It's entirely possible that your ISP is blocking those ports as well, and some sites may deal with that differently than others (If EVERYONE on ACME Internet Service has ports "closed", then you're still basically stealthed, right?). I would contact the different websites about the reports and see what they have to say, as they are going to have more detailed knowledge about how their scanners work, and may have better insight about the different results. Please do let us know, I would be interested in hearing what they have to say.
     
  9. Tassie_Devils

    Tassie_Devils Global Moderator

    Joined:
    May 8, 2002
    Posts:
    2,514
    Location:
    State Queensland, Australia
    Operafox, do you have specific rules for those port ranges.... see my pic... you can always **make sure** they are covered by rules.

    However, hardhead's post above gave the ultimate link with WWDC blocking perfectly...

    I, and many others here probably, used it to totally block that port range, I did have those rules in place though before I had that tool.

    Give that a shot, and try again. Mine all show 'Stealthed' or 'Blocked' whatever the terminology of different sites are.

    TAS

    PS: Rhetorical question maybe but, you are scanning YOUR IP addy aren't you. I mean sometimes an ISP may be working thru a proxy themselves, and you can get the results of 'their' Port range from their IP. Just that I experienced this once a long time back and I got panicky 'cause I could see all these 'Open' ports, until I realised I was scanning my ISP. Just a thought :)
     

    Attached Files:

  10. Tassie_Devils

    Tassie_Devils Global Moderator

    Joined:
    May 8, 2002
    Posts:
    2,514
    Location:
    State Queensland, Australia
    This is the app which hardhead's link to Windows Worms Door Cleaner is about....very nifty, and totally easy to use.

    TAS
     

    Attached Files:

Loading...
Thread Status:
Not open for further replies.