Welcome to Smokey's Security Forums.
Guests have only limited access to the board and it's features, please consider registering to gain full access!
Registration is free and it only takes a few moments to complete.

Smokey's Security Forums

Please login or register.

Login with username, password and session length
Advanced search  

News:

OTL Log Analysis and Malware Removal Help now offered in English and German-Deutsche Language-Sprache

Smokey's Security Forums is now able to help German customers also in their native language Deutsch / Deutsche Kunden können ab jetzt auch in Deutsche Sprache geholfen werden.

OTL Log Analyse - Malware/Schädlingen und Adware Entfernung - Popup Bekämpfung

Multilingual OTL (OldTimer ListIt) Log Analysis * Multilingual OTL Tutorials * OTL Downloads * Malware Removal * Microsoft Security Info & Alert Center * Official Jetico Inc. Support Forums

Share this topic on FacebookShare this topic on MySpaceShare this topic on Del.icio.usShare this topic on DiggShare this topic on RedditShare this topic on StumbleUponShare this topic on TwitterAuthorTopic: Port Scan Test with the latest beta version  (Read 3570 times)

0 Members and 1 Guest are viewing this topic.

Verb

  • Full Member
  • **
  • Offline Offline
  • Posts: 122
Re: Port Scan Test with the latest beta version
« Reply #31 on: November 08, 2009, 11:12:11 PM »
Hi xaoc, good luck in the army !

Stateful Inspection beginning response with the verdict - 'accept' (but rejected by 'Block All not Processed Protocol Packets') is a defect of anti-scanner. Will be corrected in new JPF.

-

Tommy

  • Jetico Forums Team Leader
  • Administrator
  • *
  • Offline Offline
  • location: Buenos Aires - München
  • Posts: 1101
  • .: Stranger in the night
    • WWW
Re: Port Scan Test with the latest beta version
« Reply #30 on: November 08, 2009, 05:46:10 PM »
Try following:

1. Close Jetico
2. Copy and backup your current config.xml file
3. Run the Jetico Wizard and create a standard config file.
4. Start Jetico and run the test again.

What happenes?

xaoc

  • Full Member
  • **
  • Offline Offline
  • Posts: 48
Re: Port Scan Test with the latest beta version
« Reply #29 on: November 08, 2009, 10:58:05 AM »
I'm sorry for a big delay ( I'm in army now  :icon_mrgreen: )
Both "Block All not Processed Protocol Packets" reject rules in "Network" table and "IP Table" table are active.
When they are disabled the test results are still the same.

Verb

  • Full Member
  • **
  • Offline Offline
  • Posts: 122
Re: Port Scan Test with the latest beta version
« Reply #28 on: October 18, 2009, 06:09:15 PM »
I'm sorry for delay (happens because I love the yellow).

We concluded that the tests are carried out with 'stateful' enabled !

If by 'accident' also you have active the rule 'reject' => 'Block All...Protocol Packets'?

You will see that test will have a completely different result.

xaoc

  • Full Member
  • **
  • Offline Offline
  • Posts: 48
Re: Port Scan Test with the latest beta version
« Reply #27 on: October 10, 2009, 07:35:00 PM »
Yes, all packets from GRC-test are accepted by TCP statefull rule (with stateful inspection enabled)
JPF log:
Code: [Select]
2009-10-10 20:19:18 accept TCP Stateful 44 TCP incoming packet 4.79.142.206 109.104.181.178 43244 5000 TTL: 229; TOS: 80; ID: 00F0; TCP flags: SYN ; TCP Seq: 7B3CA9D5
2009-10-10 20:19:18 accept TCP Stateful 44 TCP incoming packet 4.79.142.206 109.104.181.178 43244 1720 TTL: 229; TOS: 80; ID: 00F0; TCP flags: SYN ; TCP Seq: 96567D02
2009-10-10 20:19:18 accept TCP Stateful 44 TCP incoming packet 4.79.142.206 109.104.181.178 43244 1030 TTL: 229; TOS: 80; ID: 00F0; TCP flags: SYN ; TCP Seq: F5E70E53
2009-10-10 20:19:18 accept TCP Stateful 44 TCP incoming packet 4.79.142.206 109.104.181.178 43244 1029 TTL: 229; TOS: 80; ID: 00F0; TCP flags: SYN ; TCP Seq: D41D8CD9
2009-10-10 20:19:18 accept TCP Stateful 44 TCP incoming packet 4.79.142.206 109.104.181.178 43244 1028 TTL: 229; TOS: 80; ID: 00F0; TCP flags: SYN ; TCP Seq: 12B97B6B
2009-10-10 20:19:18 accept TCP Stateful 44 TCP incoming packet 4.79.142.206 109.104.181.178 43244 1027 TTL: 229; TOS: 80; ID: 00F0; TCP flags: SYN ; TCP Seq: EB54C10B
2009-10-10 20:19:18 accept TCP Stateful 44 TCP incoming packet 4.79.142.206 109.104.181.178 43244 1026 TTL: 229; TOS: 80; ID: 00F0; TCP flags: SYN ; TCP Seq: 6AC4CAC3
2009-10-10 20:19:18 accept TCP Stateful 44 TCP incoming packet 4.79.142.206 109.104.181.178 43244 1024 TTL: 229; TOS: 80; ID: 00F0; TCP flags: SYN ; TCP Seq: B0C1D7FC
2009-10-10 20:19:18 accept TCP Stateful 44 TCP incoming packet 4.79.142.206 109.104.181.178 43244 1002 TTL: 229; TOS: 80; ID: 00F0; TCP flags: SYN ; TCP Seq: 1F64D0BE
2009-10-10 20:19:18 accept TCP Stateful 44 TCP incoming packet 4.79.142.206 109.104.181.178 43244 443 TTL: 229; TOS: 80; ID: 00F0; TCP flags: SYN ; TCP Seq: 690998F5
2009-10-10 20:19:18 accept TCP Stateful 44 TCP incoming packet 4.79.142.206 109.104.181.178 43244 389 TTL: 229; TOS: 80; ID: 00F0; TCP flags: SYN ; TCP Seq: E3551A81
2009-10-10 20:19:18 accept TCP Stateful 44 TCP incoming packet 4.79.142.206 109.104.181.178 43244 143 TTL: 229; TOS: 80; ID: 00F0; TCP flags: SYN ; TCP Seq: 5D15814A
2009-10-10 20:19:18 accept TCP Stateful 44 TCP incoming packet 4.79.142.206 109.104.181.178 43244 119 TTL: 229; TOS: 80; ID: 00F0; TCP flags: SYN ; TCP Seq: 548C24E6
2009-10-10 20:19:18 accept TCP Stateful 44 TCP incoming packet 4.79.142.206 109.104.181.178 43244 113 TTL: 229; TOS: 80; ID: 00F0; TCP flags: SYN ; TCP Seq: 82BE67BF
2009-10-10 20:19:18 accept TCP Stateful 44 TCP incoming packet 4.79.142.206 109.104.181.178 43244 110 TTL: 229; TOS: 80; ID: 00F0; TCP flags: SYN ; TCP Seq: 31577344
2009-10-10 20:19:18 accept TCP Stateful 44 TCP incoming packet 4.79.142.206 109.104.181.178 43244 80 TTL: 229; TOS: 80; ID: 00F0; TCP flags: SYN ; TCP Seq: 10CBC3A
2009-10-10 20:19:18 accept TCP Stateful 44 TCP incoming packet 4.79.142.206 109.104.181.178 43244 79 TTL: 229; TOS: 80; ID: 00F0; TCP flags: SYN ; TCP Seq: 949A673F
2009-10-10 20:19:18 accept TCP Stateful 44 TCP incoming packet 4.79.142.206 109.104.181.178 43244 23 TTL: 229; TOS: 80; ID: 00F0; TCP flags: SYN ; TCP Seq: D41D8CD9
2009-10-10 20:19:18 accept TCP Stateful 44 TCP incoming packet 4.79.142.206 109.104.181.178 43244 22 TTL: 229; TOS: 80; ID: 00F0; TCP flags: SYN ; TCP Seq: B8AA6F71
2009-10-10 20:19:18 accept TCP Stateful 44 TCP incoming packet 4.79.142.206 109.104.181.178 43244 21 TTL: 229; TOS: 80; ID: 00F0; TCP flags: SYN ; TCP Seq: 37E0EF84
2009-10-10 20:19:18 accept TCP Stateful 44 TCP incoming packet 4.79.142.206 109.104.181.178 43244 0 TTL: 229; TOS: 80; ID: 00F0; TCP flags: SYN ; TCP Seq: CA441D4E

Verb

  • Full Member
  • **
  • Offline Offline
  • Posts: 122
Re: Port Scan Test with the latest beta version
« Reply #26 on: October 10, 2009, 01:44:13 AM »
Quote from: xaoc on October 09, 2009, 10:12:38 PM
All packets reach my PC.

If so, with (all packets reach) I can reproduce poor ShildsUP-Stealth test only with 'TCP Stateful' ==> 'Stateful inspection' disabled ?
Otherwise I have 100% stealth, not 'blue' port. Without more information I do not know how I can help.

xaoc

  • Full Member
  • **
  • Offline Offline
  • Posts: 48
Re: Port Scan Test with the latest beta version
« Reply #25 on: October 10, 2009, 12:32:51 AM »
oops. i just forgot to clean rule's description ))) the word lsass was just cloned from another rule )

this is correct one )
(Action)(Description)(Log level)(Protocol)(Event)(Source address)
reject   ignore_grc_scan   alert   TCP   incoming packet   4.79.142.206   

Verb

  • Full Member
  • **
  • Offline Offline
  • Posts: 122
Re: Port Scan Test with the latest beta version
« Reply #24 on: October 09, 2009, 10:26:33 PM »
Quote from: xaoc on October 09, 2009, 10:12:38 PM
reject   lsass   alert   TCP   incoming packet   4.79.142.206


You talk about lsass.exe , it means that your lsass.exe communicates with the Internet?

xaoc

  • Full Member
  • **
  • Offline Offline
  • Posts: 48
Re: Port Scan Test with the latest beta version
« Reply #23 on: October 09, 2009, 10:12:38 PM »
Verb,
It's not router problem. All packets reach my PC.

I can even simulate the stealth result by blocking all packets from grc-test IP.
reject   lsass   alert   TCP   incoming packet   4.79.142.206   

Verb

  • Full Member
  • **
  • Offline Offline
  • Posts: 122
Re: Port Scan Test with the latest beta version
« Reply #22 on: October 09, 2009, 07:05:01 PM »
Well, as I see your PC is behind a router. I think you should first configure your router if you want to check online PC stealth test behind a JPF .

Put your PC in router DMZ - zone.

DMZ (Demilitarized Zone) is used to allow a single computer on the LAN to be exposed to the Internet.

Example of router DMZ conf:

Your PC IP Address: 192.168.0.110 (your real PC address)

DMZ: Enabled

Apply.

Then go GRC | ShildsUP ==> Stealth test

xaoc

  • Full Member
  • **
  • Offline Offline
  • Posts: 48
Re: Port Scan Test with the latest beta version
« Reply #21 on: October 09, 2009, 03:48:33 PM »
Stealth test fails at each policy, except for "Block All"  :icon_mrgreen:
This problem is not based on configuration.
Even the default "Optimal protection" policy fails. Check it.

Verb

  • Full Member
  • **
  • Offline Offline
  • Posts: 122
Re: Port Scan Test with the latest beta version
« Reply #20 on: October 09, 2009, 03:05:12 PM »
Can post your "jpfconfig.xml" file?

xaoc

  • Full Member
  • **
  • Offline Offline
  • Posts: 48
Re: Re: Port Scan Test with the latest beta version
« Reply #19 on: October 09, 2009, 01:31:11 PM »
Quote from: Tommy on October 09, 2009, 01:12:55 AM
Is the 'Jetico personal Firewall Network Monitor' installed in your Network Properties.

certainly yes

We need more JPF users to reply in this thread... not just me and darkwolf.

Tommy

  • Jetico Forums Team Leader
  • Administrator
  • *
  • Offline Offline
  • location: Buenos Aires - München
  • Posts: 1101
  • .: Stranger in the night
    • WWW
Re: Port Scan Test with the latest beta version
« Reply #18 on: October 09, 2009, 01:12:55 AM »
Is the 'Jetico personal Firewall Network Monitor' installed in your Network Properties.

That is definitely a wrong or not installed driver.

Here Win XP SP3 and with ShieldsUp everything green (stealth 100%)

xaoc

  • Full Member
  • **
  • Offline Offline
  • Posts: 48
Re: Port Scan Test with the latest beta version
« Reply #17 on: October 07, 2009, 07:41:01 PM »
...same results.... ports are marked as CLOSED.
Tested on Windows XP Pro SP3 and Windows Server 2003 Ent SP2.
 

* Permissions
You can't post new topics.
You can't post replies.
You can't post attachments.
You can't modify your posts.
 BBCode Enabled
Smilies Enabled
[img] Enabled
HTML Disabled


Except where otherwise stated, all content © 2006 - 2010 Smokey Services™ -- All rights reserved
Design of all board graphics, banners and images by Emma aka Tinker - © 2006 - 2010 Smokey Services™ -- All rights reserved

Security Knowledge-, Alert- & News Center and Comprehensive Microsoft Windows Information & Download Center
Board- and databases search functions and the download of post attachments are only available to registered board members

    

  

Smokey's Security Forums provide full qualified OTL Log Analysis & Cleaning Services in English, German and Spanish language
OTL (OldTimer ListIt) is a flexible, multipurpose, diagnostic, and malware removal tool, it also has some curative ability

Microsoft Security Info & Alert Center: all released Microsoft Security Bulletins, Alerts, Advisories and Vulnerabilities, in real-time