When i do a protocol scan i get data send back from the firewalled/stealth machine.
For all detections i used the following setup:
[linux host as the Scanner] – LAN – [Firewalled host, Vista SP1 CFP 126.96.36.199]
Tools: Nmap, hping2 and TCPDUMP.
nmap -sO firewalled.ip -vvv
Starting Nmap 4.53 ( http://insecure.org ) at 2008-04-04 13:12 CEST
Initiating ARP Ping Scan at 13:12
Scanning firewalled.ip [1 port]
Completed ARP Ping Scan at 13:12, 0.06s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 13:12
Completed Parallel DNS resolution of 1 host. at 13:12, 0.00s elapsed
DNS resolution of 1 IPs took 0.00s. Mode: Async [#: 2, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating IPProto Scan at 13:12
Scanning firewalled.ip [256 ports]
Discovered open port 6/ip on firewalled.ip
Discovered open port 1/ip on firewalled.ip
Completed IPProto Scan at 13:12, 19.62s elapsed (256 total ports)
Host firewalled.ip appears to be up … good.
Interesting protocols on firewalled.ip:
Not shown: 253 open|filtered protocols
PROTOCOL STATE SERVICE
1 open icmp
6 open tcp
103 closed pim
13:12:10.189253 IP firewalled.ip > scanner.ip: ICMP firewalled.ip protocol 103 unreachable, length 28
can anyone confirm this as default stealth behavour ?