Not totally stealthed??

Discussion in 'LnS English Forum' started by Q-ball, May 21, 2003.

Thread Status:
Not open for further replies.
  1. Q-ball

    Q-ball Registered Member

    Joined:
    Apr 29, 2003
    Posts:
    60
    The test at grc came up as stealth but did recieve a ping reply

    Im just trying look'n'stop out right now.which i dont think it is any better than sygate pro,but an interesting program.
     
  2. Q-ball

    Q-ball Registered Member

    Joined:
    Apr 29, 2003
    Posts:
    60
    GRC Port Authority Report created on UTC: 2003-05-21 at 23:59:27
    Results from scan of ports: 0-1055
    0 Ports Open
    0 Ports Closed
    1056 Ports Stealth
    ---------------------
    1056 Ports Tested
    ALL PORTS tested were found to be: STEALTH.
    TruStealth: FAILED - ALL tested ports were STEALTH,
    - NO unsolicited packets were received,
    - A PING REPLY (ICMP Echo) WAS RECEIVED.
     
  3. Ph33r_

    Ph33r_ Guest

    Hey Q-ball

    Heh when you explore things you should allow yourself some time to learn of it’s capabilities before making drastic assumptions on something.

    You using EnhancedRulesSet.rls correct?
    Try Disabling it’s Default ICMP rule which named “ICMP : Ping other (Rsp)”, then do a re-scan. :)
     
  4. I_lack_commonsense

    I_lack_commonsense Registered Member

    Joined:
    Jan 22, 2003
    Posts:
    44
    Yes it does seem to be a configuration problem... just ran the same test as you... using v2.04p2 with Enhanced Rules and TCP SPI on...

    GRC Port Authority Report created on UTC: 2003-05-22 at 01:30:50

    Results from scan of ports: 0-1055

    0 Ports Open
    0 Ports Closed
    1056 Ports Stealth
    ---------------------
    1056 Ports Tested

    ALL PORTS tested were found to be: STEALTH.

    TruStealth: PASSED - ALL tested ports were STEALTH,
    - NO unsolicited packets were received,
    - NO Ping reply (ICMP Echo) was received.
     
  5. Patrice

    Patrice Registered Member

    Joined:
    Apr 15, 2003
    Posts:
    571
    Location:
    Antarctica
    Hi guys,

    well, there are some other rules as well, which you should activate. Did you activate those rules as well? ;)

    http://www.wilderssecurity.com/showthread.php?t=8696

    Best regards,

    Patrice
     
  6. Q-ball

    Q-ball Registered Member

    Joined:
    Apr 29, 2003
    Posts:
    60
    Your right--maybe i jumped the gun a little---i will test some more
     
  7. Q-ball

    Q-ball Registered Member

    Joined:
    Apr 29, 2003
    Posts:
    60
    GRC Port Authority Report created on UTC: 2003-05-25 at 01:14:48
    Results from scan of ports: 0-1055
    0 Ports Open
    0 Ports Closed
    1056 Ports Stealth
    ---------------------
    1056 Ports Tested
    ALL PORTS tested were found to be: STEALTH.
    TruStealth: FAILED - ALL tested ports were STEALTH,
    - NO unsolicited packets were received,
    - A PING REPLY (ICMP Echo) WAS RECEIVED.


    I dont know what to do ??---Ive blocked all icmp and i still get a ping reply

    Now outpost v2 did the same thing--i choose to use it in stealth mode and did the grc test--it too had a ping reply

    Blackice did the same thing also---all stealth but had ping reply

    The only firewall so far that tested to be all stealth with no ping reply was sygate pro.

    Ive got several computers with different firewalls on them ------

    I really like lns ,but if i cant figure out how to stop it from sending a ping reply,then there will be no need for me to purchase it.


    "Im up for more suggestions guys" thx
     
  8. Phant0m``

    Phant0m`` Guest

    Hey

    Disable "all" the ICMP rules found in the rule-set and retry...
     
  9. Phant0m``

    Phant0m`` Guest

    btw some Details would be nice, What Windows Version you using? What version of Look 'n' Stop you using? Are you behind a Router? Is the Machine Connecting to the Internet through another Computer?
     
  10. Q-ball

    Q-ball Registered Member

    Joined:
    Apr 29, 2003
    Posts:
    60
    Hello ph

    I did disable all ICMP rules and it still came up

    GRC Port Authority Report created on UTC: 2003-05-25 at 01:50:26
    Results from scan of ports: 0-1055
    0 Ports Open
    0 Ports Closed
    1056 Ports Stealth
    ---------------------
    1056 Ports Tested
    ALL PORTS tested were found to be: STEALTH.
    TruStealth: FAILED - ALL tested ports were STEALTH,
    - NO unsolicited packets were received,
    - A PING REPLY (ICMP Echo) WAS RECEIVED.

    Im using xp pro
    Im using the latest lns 204p2
    No im not behind a router while testing
    No--im not connecting ti internet through another computer.

    Im not really use to rule based firewalls yet--sygate spoiled me. Everything with lns is laid out pretty simple,so i dont think ive did anything wrong.

    By the way ph ive been to your web site and think it to be pretty cool--keep up the good work.
     
  11. Phant0m``

    Phant0m`` Guest

    Hey Q-ball

    This is quite abnormal; apparently this appears to be a problem.
    And whatever it is clearly indicating not only for Look ‘n’ Stop; give me a bit of time and I’ll see what I can find out…

     
  12. Phant0m``

    Phant0m`` Guest

    Q-ball

    Did you say you made a rule to block ALL Inbounds/Outbounds of ICMP’s ? o_O
     
  13. Q-ball

    Q-ball Registered Member

    Joined:
    Apr 29, 2003
    Posts:
    60
    No i didnt.

    I just used the rule to stop forbidden packets of ICMP that came with stock LNS

    I will admit --this is a learning curve for me----ive built my own computers for years now,but some of the rules i see on your site are beyond me how to activate them right now.

    I quess ill slowly get the hang of it.
     
  14. Phant0m``

    Phant0m`` Guest

    Hey Q-ball

    There is a mistake in the Phant0m``s Rule-set $v1.0, scroll through the rule-set and find “UDP : Block Broadcast” rule and set it with a BLOCK Flag. Don’t forget to save Changes…

    DO NOT Enable ANY RULES, Disabled RULES EXISTS ONLY FOR THOSE WHO HAS NEED FOR THEM, THEY WILL NOT ENHANCE YOUR PROTECTION ANY FURTHER.

    Did you follow the page steps and properly configure your DNS rules and BOOTP / DHCP rules?

    Are you on Dialup or?

    And have you tried running the grc test to see if your problem still exists?
     
  15. Q-ball

    Q-ball Registered Member

    Joined:
    Apr 29, 2003
    Posts:
    60
    Hey Phant0m``

    Im on adsl.

    Did you follow the page steps and properly configure your DNS rules and BOOTP / DHCP rules?

    No i have not yet.Just got out of a medal of honor game.I saw that on your site ,ill configure that later today and let you know


    Thx for your help.


    The more i mess with LNS ,the more i like it.

    I also have tiny 4.5 on one of my computers --talk about a learning curve--the sandbox is awesome, but it does take some time to learn.
     
  16. Q-ball

    Q-ball Registered Member

    Joined:
    Apr 29, 2003
    Posts:
    60
    Hey Phant0m``

    I did configure my DNS rules and BOOT/DHCP rules from your web site.Im also using your 52 ruleset zipfile from your web site.

    I quess it is all configured right---it seems to be---but i just ran the grc test and it failed the ping rely again.

    At this point i can just laugh at it, because i just dont know what else to do.
     
  17. Phant0m``

    Phant0m`` Guest

    Hey Q-ball

    Alright now I’m absolutely sure there is a Leak anomaly here occurring specifically on your Machine, are you sure when running Sygate Personal Firewall you get Stealth PING results?

    You had mentioned that only Sygate Personal Firewall was capable of stealthing the PING test....
     
  18. Phant0m``

    Phant0m`` Guest

    Do you have more then one Software Firewall installed on that Machine?
     
  19. Q-ball

    Q-ball Registered Member

    Joined:
    Apr 29, 2003
    Posts:
    60
    Hey Phant0m``

    I only run 1 firewall at a time.Now i also system safty monitor too.

    But thats about it.

    Yes ,when i ran sygate pro i was totally stealth with no ping reply.

    Ive put alot of work into learning LNS and configuring it.Much more than i put into most firewalls.
     
  20. Phant0m``

    Phant0m`` Guest

    Hey Q-ball

    I’ve sent Frederic and E-mail notifying him of this abnormal anomaly, hope to see him sometime this morning….

    Regards,
    Phant0m``
     
  21. Phant0m``

    Phant0m`` Guest

    When you used Sygate Personal Firewall and you was Stealthed, was this before or after the grc Scanner updates?
     
  22. Q-ball

    Q-ball Registered Member

    Joined:
    Apr 29, 2003
    Posts:
    60
    https://nanoprobe.grc.com/x/ne.dll?bh0bkyd2


    I went to the new 1 there.I didnt really care for the old 1.

    Tell me ph--in your rule set--what is ETH-1?

    The ping reply seems to be the only prob i can see right now.LNS passes everything i through at it but the ping relpy.

    Is there another site i can go to and test to see if i get a ping reply


    Also like i said before --outpost v-2 and blackice 3.6 also had a ping reply..-i didnt really play around with outpost that much so dont take it the wrong way.

    I know of pcflank and blackcode--but there scans do not tell me about the ping reply.


    regards
     
  23. Phant0m``

    Phant0m`` Guest

    Hey Q-ball

    Yes the Look ‘n’ Stop Firewall normally passes totally for all except you so it seems.

    ETH-1 is a rule to Allow Ethernet packets between my Local Computers; I don’t recommend using that rule, unless you absolutely “know” it’s necessary.

    If you go-to my website and into FAQs / Miscellaneous / Online Port Scans, you should find some sites
     
  24. Q-ball

    Q-ball Registered Member

    Joined:
    Apr 29, 2003
    Posts:
    60
    Your probe of 0.0.0.0/24 yielded the following results:

    Network: 0.0.0.0, Netmask: 255.255.255.0, Broadcast: 0.0.0.255, Responded: Yes (broadcast=0, network=1), Duplicates: 0

    CONCLUSION: The network responded, but returned no dups. OK network.


    id: 1000030
    created: 1998-05-07 01:34:24 CET
    updated: 1998-05-07 01:34:24 CET
    network: 0.0.0.0/24
    net-descr: not-analyzed
    last-probed: 2003-05-26 08:32:40 CET
    responding: Yes
    duplicates: 0 (highest seen, resets to 0 when 0 seen)
    fixed: never
    home-as: not-analyzed
    as-descr: not-analyzed

    http://www.powertech.no/smurf/

    Thats the results from this site.
     
  25. Phant0m``

    Phant0m`` Guest

    Yep 1stly you didn't put an IP Address into the Field... :)
     
Thread Status:
Not open for further replies.