Stealth mode? reality or fake security?

[digen]

Well,there are many online security sites which offer to scan your pc[which actually means your public IP].The most famous being Steve Gibsons GRC Shields Up.There are a bunch of people everywhere who believe that the stealth mode status gives them some sort of added security...I was one of them untill recently [I hope i'm not wrong]
Stealth is often meant invisible.But that is not the case literally.
Here is the packets captured from my fav ethereal,
*img36.exs.cx/img36/8812/etherealpacketcapture5so.th.jpg

The above was taken after initiating a scan at grc's shields up test[to be specific for "all service ports"]
Although I can post the entire packet capture session here,I clearly couldnt understand the working since it did not contain a per port probe for my destination IP,thats what baffles me.
I certainly have not understood how these security online scanners probe for each port without the packet capturing tool dispalying a probe for each & every host port.
It certainly has got to do with ICMP request/reply but that doesnt seem to indicate in the capture session.I'm looking forward for someone to enlighten me on this part.

Anyways consider 2 hosts HOST A & HOST B.
Say the HOST B is stealth [or invisible as it is more likely called],when the HOST A send a ICMP echo request,under normal circumstances if the HOST B actually did not exist then the last router on the way would send a "host unreachable" message back to HOST A but that does not happen here,since the connection times-outs after around 3 tries I think[i'm not quite sure of this].This silence of any messages forwarded back to HOST A certainly seems to indicate that there is something which is dropping traffic & not replying to echo request messages which it should normally do under the proper working of the networking model.This will certainly give a sniff of a indication to any script kiddie scanning your host computer even if its under the stealth mode state.If this is certainly the case then wont having the stealth mode tag give you nothing more than just fake mental peace?

Also I've learnt that unless you have any kind of service/s running on your host computer there is nothing a script kidde can do with a bunch of closed ports in hand.Am I right over here?
I hope I'm on the right track over here,if i'm not then please do correct me if i'm wrong.

 

[enoonmai]

First off, lets take a look at how port scanning works in the first place. The most basic form of scanning is the TCP connect() scan wherein the connect() system call provided by the OS is used to attempt a successful connection with every interesting port on the machine. So what an online scanner does is simply send out a connect() signal and see what responds. Let's say if a specific service, say ssh, responds, then it uses a list of known vulnerabilities for that service to see if your computer is vulnerable to that kind of attack. It doesnt exactly perform the attack, of course. And once again, the port scanner uses the strobe or stealth modes so that the threshold triggers on your packet capture program are not alerted. Contrary to what you think, you will not see a range of ports being accessed in a linear fashion along with the error messages that your computer responds with, etc. What would happen is that the time interval for the probe would be spread out over a period, with the scanner trying out a vulnerability in the meantime between successive probes, so that the threshold values aren't crossed. No one "blanket scans" all ports. Did I also mention that connect() scanning is the fastest scanning method?

However, the information that your particular GRC Shields Up test performs is a SYN scan. This is one of the most clandestine scanning methods available and very few alerts would be thrown up because of SYN scans, unless you've set up a rigorous monitoring rule. What it does simply is a "half-open" scan where it doesnt open a full TCP connection, but sends a SYN packet (as can be seen from your Ethereal capture data. 204.1.226.230 or rather 213.133.98.149#53 is grc.com as a simple nslookup would have told you) as if its going to open a real connection, and waits for an ACK. Usually, most sysadmins send an RST to tear down the connection, which would tell that host that there is no machine listening for a SYN at the other end. But of course, your computer immediately sends its own SYN/ACK to grc.com, as can be again seen in your Ethereal data, so what it does is then switch to looking for vulnerabilities. Most probably, it was trying to test the vulnerability of accepting changed IP addresses in the event of an pause/continue HTTP action. It then went on to perform another SYN scan and then test for another vulnerability. If you run through the entire Ethereal log, you can know exactly what services were scanned and what vulnerabilities the server was looking for.

The ICMP request/response you were talking about would only figure in UDP scanning and of course ICMP echo scanning, where messages such as EAGAIN or ECONNREFUSED would be sent to the scanner, indicating that a host is indeed up and running that particular service. However, most good sysadmins make sure the ICMP_PORT_UNREACH error is whats sent instead, saving their network from further port scans, as no hacker/scriptkiddie is gonna waste his time portscanning a single computer over and over again for detailed information on "interesting" ports.
So, you see, even if a scriptkiddie comes to know that the machine is existing, even if its stealth mode, he doesnt have much use for it, as he would rather look at an unprotected machine that would allow him to install a rootkit or chain a DoS attack or whatever. These may not stop a determined hacker, but the stealth mode and all that is just a way of making the scriptkiddies' jobs a bit more tougher. And its a pretty good deterrent, actually. Hope that would have cleared things up a bit. Plus, I hope it also explained the Ethereal data a bit.

 

[digen]

Wokay thanks for the detailed explanation mate,but I had posted this question at another security forum.
It seems I messesd up with the basics,the reason why the probe per port scans arent showing up under ethereal session is simply because I'm behind a NAT router.
This clearly indicates that all traffic isnt reaching ethereal & rightly so since it wasnt placed at the perimeter.
I'll directly connect to the internet without the NAT router & capture packets & will post the session here for further understanding.

Anyways my point was what does a host which is in stealth state have as an added advantage? apart from what I prefer having ports as closed ?