Perfect Stealth, yet no Firewall on, HOW?

Discussion in 'other firewalls' started by truthseeker, Jun 23, 2008.

Thread Status:
Not open for further replies.
  1. fax

    fax Registered Member

    Joined:
    May 30, 2005
    Posts:
    3,899
    Location:
    localhost
    Nope, as far as I know, standard NAT has no stealth capability.
    Will make a test..... and report back... ;)

    Cheers,
    Fax
    EDIT: confirmed NAT does not stealth ports (GRC) at least into two router tested...
     
    Last edited: Jun 26, 2008
  2. Fly

    Fly Registered Member

    Joined:
    Nov 1, 2007
    Posts:
    2,201
    Maybe it does, and maybe it doesn't ...

    I have a router, directly connected to the internet (cable modem between router and internet), and when I test it for stealth SOME ports are stealthed, but not all.

    I have no idea if NAT has anything to do with it.
     
  3. fax

    fax Registered Member

    Joined:
    May 30, 2005
    Posts:
    3,899
    Location:
    localhost
    Yes, some ports can be stealthed...
    But this has nothing to do with NAT ;)

    Cheers,
    Fax
     
  4. mfenech

    mfenech Registered Member

    Joined:
    Aug 20, 2006
    Posts:
    46
    I use a Speedstream 4100 modem with NAT enabled, no software firewall (Win2000), and I get all stealth on the test.
     
  5. jrmhng

    jrmhng Registered Member

    Joined:
    Nov 4, 2007
    Posts:
    1,268
    Location:
    Australia
    Depends on how your router is set up. The router probably has a packet filter that tells it to just drop all unsolicited incoming packets.
     
  6. Kerodo

    Kerodo Registered Member

    Joined:
    Oct 5, 2004
    Posts:
    8,013
    True, a simple NAT router will stealth all ports, however, it may respond to a ping in it's default settings/state.
     
  7. jrmhng

    jrmhng Registered Member

    Joined:
    Nov 4, 2007
    Posts:
    1,268
    Location:
    Australia
    Yes NAT just means that no computer can access your computer directly. So whan you get scanned, it just means that your router, not computer is being scanned.

    Whether you get "stealthed" depends on how the router is configured. But it is no biggie, stealth just means that all the packets are dropped. Closed just means your router responds and confirms that it is closed.
     
  8. Fajo

    Fajo Registered Member

    Joined:
    Jun 13, 2008
    Posts:
    1,814
    21 stealthed FTP File Transfer Protocol is used to transfer files between computers
    23 stealthed TELNET Telnet is used to remotely create a shell (dos prompt)
    80 stealthed HTTP HTTP web services publish web pages
    135 stealthed RPC Remote Procedure Call (RPC) is used in client/server applications based on MS Windows operating systems
    137 stealthed NETBIOS Name Service NetBios is used to share files through your Network Neighborhood
    138 stealthed NETBIOS Datagram Service NetBios is used to share files through your Network Neighborhood
    139 stealthed NETBIOS Session Service NetBios is used to share files through your Network Neighborhood
    1080 stealthed SOCKS PROXY Socks Proxy is an internet proxy service
    1243 stealthed SubSeven SubSeven is one of the most widespread trojans
    3128 stealthed Masters Paradise and RingZero Trojan horses
    12345 stealthed NetBus NetBus is one of the most widespread trojans
    12348 stealthed BioNet BioNet is one of the most widespread trojan
    27374 stealthed SubSeven SubSeven is one of the most widespread trojans
    31337 stealthed Back Orifice Back Orifice is one of the most widespread trojans

    same results. just using a Modified Linksys router :cool: free firewalls are always good even tho I run a software one for outbound mainly


    Edit.
    Thanks to the Mod that removed the 2nd post for me
     
    Last edited by a moderator: Jun 27, 2008
  9. fax

    fax Registered Member

    Joined:
    May 30, 2005
    Posts:
    3,899
    Location:
    localhost
    Lets try again... standard NAT technology is not designed to stealth ports and not the purpose of NAT.

    By default you will have port closed. Stealth status for some or for all ports depends on the specific configuration of your router, configuration other than NAT.

    Cheers,
    Fax
     
  10. truthseeker

    truthseeker Former Poster

    Joined:
    Jan 26, 2008
    Posts:
    977
    1. Siemens 4200

    2. Yes, access interface through http

    3. It only has NAPT enabled, nothing else. Even the modems firewall is OFF. Yet I receive perfect stealth from all tests.
     
  11. truthseeker

    truthseeker Former Poster

    Joined:
    Jan 26, 2008
    Posts:
    977
    Well all I can tell you is this... I have Firewall OFF in Vista and I do NOT have any 3rd party Firewall installed. In fact, Vista is complaining that I am not protected by any Firewall and that I should turn it on.

    However, I get perfect STEALTH reporting from every test I have done.

    And the only thing I have activated is NAPT in my router.

    And when I disable NAPT, I do not get STEALTH reporting anymore.

    So what does that tell you?

    So my question is..... How does NAPT do that? And why would a person need a Firewall when NAPT works as a firewall anyway?
     
  12. jrmhng

    jrmhng Registered Member

    Joined:
    Nov 4, 2007
    Posts:
    1,268
    Location:
    Australia
    Yes exactly right. There is a distinction from NAT and stealthing. But most routers tend to stealth themselves by default.
     
  13. jrmhng

    jrmhng Registered Member

    Joined:
    Nov 4, 2007
    Posts:
    1,268
    Location:
    Australia
    I've said this before, it is because your router is being scanned. By default most routers just drop packets which will give you a stealth rating from grc.
     
  14. truthseeker

    truthseeker Former Poster

    Joined:
    Jan 26, 2008
    Posts:
    977
    So our Siemens must be doing a good job with the NAPT :)
     
  15. truthseeker

    truthseeker Former Poster

    Joined:
    Jan 26, 2008
    Posts:
    977
    Yep, got it, sounds good to me :)
     
  16. Kerodo

    Kerodo Registered Member

    Joined:
    Oct 5, 2004
    Posts:
    8,013
    Can you give me some specific examples or details on that "specific configuration of your router"?

    All I have here is a cheap NAT router with no special "configuration", and it stealths on a grc.com tests with the exception of ping replies on default, out of the box.

    Please expand on your comments with more specifics.....
     
  17. fax

    fax Registered Member

    Joined:
    May 30, 2005
    Posts:
    3,899
    Location:
    localhost
    Difficult to expand... may be STEM can help (?).
    For me is like to say that you have a car and it works without an engine inside. :)

    Don't think it depends on how cheap your router is (most routers are cheap) but about the specific features of the router other than standard NAT.

    Cheers,
    Fax
     
  18. jrmhng

    jrmhng Registered Member

    Joined:
    Nov 4, 2007
    Posts:
    1,268
    Location:
    Australia
    Yes it doesn't matter how cheap a router is. Getting "stealthed" isn't exactly voodoo magic that takes years to master. It just means that your router will simply drop packets that dont relate an already established connection. Connections are usually established when you connect out. So if you point your FF to wilders, your router remembers that you initiated a connection to wilders and will route the traffic to you as wilders sents packets to your router. However if wilders just randomly sent you a packet, because you didnt initiate it, your router just ignores the packet. In grc terms, that is "stealth". Most routers are usually configured to react this way by default.
     
  19. truthseeker

    truthseeker Former Poster

    Joined:
    Jan 26, 2008
    Posts:
    977
    Thanks for this. Was easy to read and to understand :)
     
  20. jrmhng

    jrmhng Registered Member

    Joined:
    Nov 4, 2007
    Posts:
    1,268
    Location:
    Australia
    Glad to be of help. If you are at GRC, have a listen to some of the security now podcasts. Steve Gibson is very good at explaining the concepts. However take his comments on the wmf exploit and his view on "stealth" firewalls with a grain of salt.
     
  21. Fly

    Fly Registered Member

    Joined:
    Nov 1, 2007
    Posts:
    2,201
    I think a router can only provide a very limited SPI (Stateful Packet Inspection). How does the router know if what's coming in is what you want to come in ?
    There is also no outbound protection.

    Here a good software firewall comes in handy.
     
  22. Kerodo

    Kerodo Registered Member

    Joined:
    Oct 5, 2004
    Posts:
    8,013
    I guess I'm think that all I really have here is NAT, and with that I get stealth on grc.com for example. So I don't really see or understand what else in the router is creating stealth other than just NAT. Does that make any sense? :)
     
  23. Fajo

    Fajo Registered Member

    Joined:
    Jun 13, 2008
    Posts:
    1,814
    Because you have you to Start the prossess before it can let anything in. it dont just accept random data. Read posts above if your lost.
     
  24. jrmhng

    jrmhng Registered Member

    Joined:
    Nov 4, 2007
    Posts:
    1,268
    Location:
    Australia
    It doesn't have to be SPI to provide inbound protection. All routers will have to have a statetable to remember if a connection has been initiated.

    As I said before, getting stealth isn't like magic. The effect of NAT is that your router rather than your computer will be scanned. You get stealth because, by default, most routers just drop packets not belonging to an inititiated connection.
     
  25. Kerodo

    Kerodo Registered Member

    Joined:
    Oct 5, 2004
    Posts:
    8,013
    Ok, so you're saying that it's just the router and not NAT that's doing the packet dropping...
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.