How to pass the trick from GRC shield Test

Discussion in 'other firewalls' started by testsoso, Jan 14, 2008.

Thread Status:
Not open for further replies.
  1. testsoso

    testsoso Registered Member

    Joined:
    Feb 10, 2007
    Posts:
    137
    Under the 1056 ports scan, GRC test site provided a trick, by klick a death link of the page, than you retry the test, and the firewall should fail this time.

    Does anyone knows how to pass this trick?
     
  2. dmenace

    dmenace Registered Member

    Joined:
    Nov 29, 2006
    Posts:
    275
    No idea what you mean.


    Please clarify and link.
     
  3. testsoso

    testsoso Registered Member

    Joined:
    Feb 10, 2007
    Posts:
    137
    Sorry for my bad english.

    here is the link:
    https://www.grc.com/x/ne.dll?bh0bkyd2

    go to proceed,

    http://www.grc.com/x/ne.dll?rh1dkyd2

    than go to all service ports,

    https://www.grc.com/x/ne.dll?rh1dkyd2

    after the test has finished, scrolldown the page, if you have a good firewall, you will receive a trustealth passed, but than more down in the page, under Service Ports Scan Application Guide, there are four steps describt, to fool your firewall.

    i tried it with many firewalls, comodo, online armor, ...all failed. how can i make the firewall pass this one?
     
  4. Bob D

    Bob D Registered Member

    Joined:
    Apr 18, 2005
    Posts:
    1,150
    Location:
    Mass., USA
    The procedures described under Service Ports Scan Application Guide are merely tools to determine efficacy of your ISP and/or router (if applicable) with respect to blocking/stealthing ports vs. your software firewall alone.
    If you set your software firewall to allow ShieldsUp's probe IP [4.79.142.206], any ports closed/stealthed are due to blocking by your ISP or router.
    Merely remove ShieldsUp's probe IP [4.79.142.206] as trusted, and your firewall should stealth all ports.
     
  5. Espresso

    Espresso Registered Member

    Joined:
    Aug 1, 2006
    Posts:
    975
    Adaptive ident handling. I'm behind a router so I can't test it.

     
  6. Brian N

    Brian N Registered Member

    Joined:
    Jul 7, 2005
    Posts:
    2,148
    Location:
    Denmark
    My router failed, oh well :p
     
  7. computer geek

    computer geek Registered Member

    Joined:
    Oct 6, 2007
    Posts:
    776
    If you have the firewall function on your router, read the manual or box, where it shows you the features, when you find it, type your ip in your browser, and configure your router.
     
  8. TonyW

    TonyW Registered Member

    Joined:
    Oct 12, 2005
    Posts:
    2,635
    Location:
    UK
    I've just done a test by disabling my router firewall and uninstalling a software firewall I was testing (Online Armor). All 1,056 ports are still showing as stealthed so it would appear the ISP is blocking them. I wouldn't have thought they blocked all of them though. It's very good if that's the case.
     
  9. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    With ref to port 113:

    This on routers is left as closed for a reason.
    http://www.grc.com/port_113.htm
     
  10. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    I would think that you had windows firewall active. This can stealth all ports (if no application as been allowed inbound)
    I have not known an ISP then will stealth all ports, as this will block numerous application (P2P/ chat etc) from taking unsolicited inbound.
    It also as security issues for user of applications (AV etc) that have an option for alerts (where the vendor sends alerts to the application)
     
  11. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,055
    Location:
    The Netherlands
    Ok, this all is too advanced to me, can someone explain if this is some kind of risk, is it a flaw in the firewall that could be used in attacks?
     
  12. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    With ref to port 113,

    I have always had personal problems with adaptive firewall rules, but, saying that, such problems/compromise on port 113 I have not seen or found.
    If in any doubt just close that port, end of any concern. (I actually see no need for this now (port 113/ident), but of course this is only on my checks,.. please do advise if this is needed anywhere, by anyone)

    Basically, if you have reports from an external scan to show ports closed, then all ok,(as I have mentioned before). Only if ports show as open should concern be made.
     
  13. wat0114

    wat0114 Guest

    If your router has a DMZ, then you may have to put your machine's ip address on it, then try the scan, because even though you disable your router's firewall, the router's connection is still probably being scanned and not your machine.
     
  14. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    Thank you wat0114, I had actually missed that point, I was thinking the router had been removed.
     
  15. wat0114

    wat0114 Guest

    You're welcome :)
     
  16. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    So what would you suggest where a firewall will open inbound ports due to outbound> as with such as mentioned?

    With respect from me of course, I am looking for personal view/comment on such

    Comments/ feedback from all,.. please.
     
  17. wat0114

    wat0114 Guest

    Hi Stem,

    I'm not sure about your question o_O Do you mean with the router's firewall disabled? I only mentioned the possibility of having to place the machine's ip on the router's DMZ because disabling the firewall on it, depending on the model, may not necessarily have the desired effect of allowing inbound scans a free-for-all access t ohis machine. This is because on my old DI-624 I actually have to create an allow all inbound rules (as seen in ss) to disable the firewall from blocking all ports, as its block all rule is hard-coded into the device.

    Sorry, I'm not nearly on the same technical level as you are when it comes to networking and network security, but I do try to learn on a continual basis ;)
     

    Attached Files:

  18. wat0114

    wat0114 Guest

    Stem, maybe I have the answer, but please correct me if i'm wrong ;) I placed my machine's ip on the router's DMZ and activated the router's "Allow all" rule just for good measure to make sure my software firewall (Jetico 2 in this case) would get the scan. It passed the "trick" easily because of a key "Block all not processed protocol packets" block rule, as seen in the screenshot. Yes, I followed the steps accurately and J2 still passes (all stealthed) on the re-scans. This "Block" rule in J2 needs to be placed a bit further down in the table list, as opposed to my other block rules, otherwise all network access will be blocked.

    I believe J2 passes because even though a solicited connection was made to that ip address immediately before the re-scan, the connection is not maintained so it does not meet the requirements of the SPI rules above that "Block all not processed protocol packets" block rule, so the connection attempt is passed further down the list until it reaches that block rule and, of course, it fails, so all the ports are stealthed.

    Does this make sense?
     

    Attached Files:

  19. TonyW

    TonyW Registered Member

    Joined:
    Oct 12, 2005
    Posts:
    2,635
    Location:
    UK
    I'll try that and report back at a later stage. By IP address, do you mean the WAN IP?

    Windows firewall wasn't enabled so this seems more likely to be the situation.
     
  20. wat0114

    wat0114 Guest

    No, you will want to choose the ip address that your computer uses, on the LAN side of the router. This will probably something like: 192.168.1.xx or 192.168.0.xx...or along those lines.

    If you use Win XP you can find it in: Control Panel-> Network Connections-> Local Area connections-> Support-> IP address.
     
  21. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    8,702
    Hello,
    I have noticed that most Windows firewalls stealth port 113; On NIX systems, the port is usually left "only" closed, probably an ancient legacy. But I have not noticed any problems with or without stealthing the port ...
    Mrk
     
  22. wat0114

    wat0114 Guest

    True enough, it does not really matter if the port is closed instead of stealthed. In both cases it's secure. Also, some of the early posts in this thread puzzle me, with remarks such as: "my firewall fails" or: "my router fails", having lead me to believe that it was more than only port 113 that was closed instead or stealthed. If it was only 113 that reverted to closed, then this is clearly a trivial matter.
     
    Last edited by a moderator: Jan 21, 2008
  23. TonyW

    TonyW Registered Member

    Joined:
    Oct 12, 2005
    Posts:
    2,635
    Location:
    UK
    Rather than mess with DMZ settings, I re-tried the scan with no router connection whatsoever, no software firewall installed and no Win XP firewall running.

    The result is all ports are closed except two: ports 135 & 139 are open. Port 0 is stealthed, but this doesn't seem to serve any legitimate purpose.

    Screenshot attached.
     

    Attached Files:

  24. Stijnson

    Stijnson Registered Member

    Joined:
    Nov 7, 2007
    Posts:
    533
    Location:
    Paranoia Heaven
    @TonyW: This is the scan result you get with OA Free installed?
     
  25. TonyW

    TonyW Registered Member

    Joined:
    Oct 12, 2005
    Posts:
    2,635
    Location:
    UK
    That scan result is with NO firewall installed, including OA.
     
Loading...
Thread Status:
Not open for further replies.