Create a New Forum Admin Login Member Login Contribute to Voyager Search VoyForums Help Desk VoyForums Exchange VoyForums Directory/Categories VoyForums Homepage VoyForums News FAQ - Frequently Asked Questions

[ Show ]

Support VoyForums

[ Shrink ]

VoyForums Announcement: Programming and providing support for this service has been a labor of love since 1997. We are one of the few services online who values our users' privacy, and have never sold your information. We have even fought hard to defend your privacy in legal cases; however, we've done it with almost no financial support -- paying out of pocket to continue providing the service. Due to the issues imposed on us by advertisers, we also stopped hosting most ads on the forums many years ago. We hope you appreciate our efforts.

Show your support by donating any amount. (Note: We are still technically a for-profit company, so your contribution is not tax-deductible.) PayPal Acct: Feedback:

Donate to VoyForums (PayPal):

[ Login ] [ Main index ] [ Post a new message ] [ Search | Check update time | Archives: 1, [2] ]

Subject: Re: How Does Stealth Mode Work In Portscanners Author: PanZer [ Next Thread | Previous Thread | Next Message | Previous Message ] Date Posted: 14:52:57 07/22/01 Sun In reply to: Yrax 's message, "How Does Stealth Mode Work In Portscanners" on 13:05:12 07/22/01 Sun Yea, a port scanner isnt the hardest program to write. But its not super easy eather. Some port scaners have a stealth mode, but stealth mode scan can be detected with most firewalls. The main differece is that with a normal TCP port scan, the scanner tells if the port is open by making a full 3way handshake connection to that port. With a stealth scan the scanner only makes a half-open connection, which is not really considered a connection in TCP protocal. In the end, some port scanning detection programs will only log a port scan if the remote scanner is trying to make a full TCP connection. So doing a half-open scan will stop you from being logged, but most port scanning detection programs will log both half and full connection scans. So the stealth scan is not really stealth, its just a little stealthyer then the normal port scan. What usally determins if the port scanning detection program is gonna log a half-open scan is the security level the detection program is set at. (This part gets a little deep into TCP/IP protocal so bare with me) If you would like to no how it works a full 3way handshake connection scan checks to see what ports are open by sending a (first step)SYN packet to the target machine's port. If the port is open the target machine sends a (second step)SYN/ACK packet back. If the port is closed the target machine sends a RST/ACK packet back. And last the comp doing the scan sends a (third step)ACK packet to the target machine to allow the TCP connection to be made. In a half-open scan (stealth scan) everything is the same up to the third step. In the third step the comp doing the scan sends a RST/ACK packet instead of a ACK packet. The RST/ACK packet stops the connection from ever being made, where as a ACK packet in the third step establishes a full TCP connection. damn, thats almost a tutorial. [ Next Thread | Previous Thread | Next Message | Previous Message ]

Replies:

Subject Author Date Nice tutorial, PanZer... Plebius 18:01:10 07/22/01 Sun Re: Nice tutorial, PanZer... -- PanZer, 01:10:00 07/23/01 Mon