Varredura de porta e Firewall do Windows

1

Estou tentando entender os resultados que estou obtendo ao verificar portas em uma máquina que possui um Firewall do Windows interno ativo. Meu ambiente de teste possui duas máquinas com Windows 7 em execução nas VMs do Hyper-V conectadas diretamente a um comutador virtual interno e na mesma sub-rede, sem nenhum outro firewall entre elas.

Máquina A - Firewall do Windows desativado e executando o Nmap 7.60

Máquina B - Máquina sendo digitalizada

Quando o Firewall do Windows está desativado na Máquina B, todas as portas são exibidas como abertas ou fechadas - EXPECTED.

Quando o Firewall do Windows é ativado na Máquina B com regras padrão, algumas portas são exibidas como abertas (ESPERADAS) e as demais são exibidas como Filtradas.

Quando eu crio uma regra de entrada para permitir conexões em uma porta específica que não tem um ouvinte, eu esperaria que essa porta fosse verificada como fechada, mas ainda está sendo mostrada como Filtrada com o motivo Nenhuma Resposta.

Alguém pode explicar por que não há resposta ao verificar uma porta para a qual existe uma regra de entrada ativa para permitir conexões e nenhuma regra de negação? Estou usando o scan SYN.

    
por David 04.10.2017 / 04:14

3 respostas

1

O firewall filtra o TCP SYN para que o TCP nunca o receba e o TCP não pode enviar o RST necessário. De RFC 793, Protocolo de Controle de Transmissão :

Reset Generation

As a general rule, reset (RST) must be sent whenever a segment arrives which apparently is not intended for the current connection. A reset must not be sent if it is not clear that this is the case.

There are three groups of states:

  1. If the connection does not exist (CLOSED) then a reset is sent in response to any incoming segment except another reset. In particular, SYNs addressed to a non-existent connection are rejected by this means.

    If the incoming segment has an ACK field, the reset takes its sequence number from the ACK field of the segment, otherwise the reset has sequence number zero and the ACK field is set to the sum of the sequence number and segment length of the incoming segment. The connection remains in the CLOSED state.

  2. If the connection is in any non-synchronized state (LISTEN, SYN-SENT, SYN-RECEIVED), and the incoming segment acknowledges something not yet sent (the segment carries an unacceptable ACK), or if an incoming segment has a security level or compartment which does not exactly match the level and compartment requested for the connection, a reset is sent.

    If our SYN has not been acknowledged and the precedence level of the incoming segment is higher than the precedence level requested then either raise the local precedence level (if allowed by the user and the system) or send a reset; or if the precedence level of the incoming segment is lower than the precedence level requested then continue as if the precedence matched exactly (if the remote TCP cannot raise the precedence level to match ours this will be detected in the next segment it sends, and the connection will be terminated then). If our SYN has been acknowledged (perhaps in this incoming segment) the precedence level of the incoming segment must match the local precedence level exactly, if it does not a reset must be sent.

    If the incoming segment has an ACK field, the reset takes its sequence number from the ACK field of the segment, otherwise the reset has sequence number zero and the ACK field is set to the sum of the sequence number and segment length of the incoming segment. The connection remains in the same state.

  3. If the connection is in a synchronized state (ESTABLISHED, FIN-WAIT-1, FIN-WAIT-2, CLOSE-WAIT, CLOSING, LAST-ACK, TIME-WAIT), any unacceptable segment (out of window sequence number or unacceptible acknowledgment number) must elicit only an empty acknowledgment segment containing the current send-sequence number and an acknowledgment indicating the next sequence number expected to be received, and the connection remains in the same state.

    If an incoming segment has a security level, or compartment, or precedence which does not exactly match the level, and compartment, and precedence requested for the connection,a reset is sent and connection goes to the CLOSED state. The reset takes its sequence number from the ACK field of the incoming segment.

    
por 04.10.2017 / 04:52
0

When I create an inbound rule to allow connections on a specific port that doesn't have a listener

Se você criar uma regra de firewall para uma porta sem LISTENER, então é completamente normal você não ter resposta, pois nada responde nessa porta.

Citações de

If something other than LISTENING is returned then there could be a problem with a port being blocked somewhere. If the port shows to be FILTERED then a firewall or VLAN could be blocking that port, if the port returns NOT LISTENING then we got to the machine but the machine is not listening on that port number.

    
por 04.10.2017 / 05:20
0

Encontrei a resposta.

A razão pela qual as portas saem como FILTERED, embora exista uma regra de entrada, é o recurso chamado "Stealth Mode" que "bloqueia mensagens ICMP de saída inacessíveis e TCP redefinidas para uma porta quando nenhum aplicativo está escutando nessa porta".

link

    
por 05.10.2017 / 04:26