From:         Patrick Douglas Crispen 
Subject:      Tourbus - 3 Sep 04 - Testing Your Firewall


The Internet Tourbus - U.S. Library of Congress ISSN #1094-2239
Copyright © Bob Rankin and Patrick Crispen - All rights reserved
Testing Your Firewall

Howdy, y'all, and greetings once again from deep behind the orange curtain in beautiful Irvine, California, now with 2 billion effective pixels. :P

Today's journey of our little bus of Internet happiness is the much- anticipated third part in my never-ending Home Computer Security series. If you missed any of my previous posts, you can find them all online in the Tourbus archives:

Part One: Exploits and Patch Management

Part Two: Firewalls

Part Two and a half: Odds and Ends

TOURBUS is made possible by the kind support of our sponsors. Please take a moment to visit today's sponsors and thank them for keeping our little bus of Internet happiness on the road week after week.

On with the show...

A quick review

Connect to the internet and two things will quickly target and attack your computer: Worms and crackers. To protect your computer from opportunistic attacks--besides being vigilant with patch management-- you need to "hide" your computer from the internet. If worms and crackers can't see your computer, they [hopefully] won't attack you.

How do you hide your computer? Use a firewall. A firewall is either hardware or software that stands between your computer [or home network] and its internet connection and provides "access control"--it determines what can and cannot pass. If you have a broadband connection [cable modem or DSL] you need BOTH a hardware firewall [in the form of a ~US$70 router] and a [free] software firewall. If you have a dial-up connection or an internal cable or DSL modem, you only need a [free] software firewall.

Uh... WHAT?!

If all of this is Greek to you, check out my "Home Computer Security and Privacy, Part One: Firewalls and Exploit Management" presentation at

This presentation is available online, free of charge, in both Microsoft PowerPoint and Macromedia Flash formats.

Testing your firewall

How do you know if your firewall is doing its job of keeping the bad stuff out? Well, the best way is to test your firewall by having a trusted entity attack it. There are people called "white hat hackers" or "sneakers" who can do this for you...for a price. That price is usually the same as the price of a mortgage payment in Beverly Hills. Or you can test your firewall yourself for free with both Sygate Online Services and Steve Gibson's Shields Up.

Sygate Online Services

Sygate is one of the biggest players in the corporate security market, and they also make one of my favorite software firewalls: Sygate Personal Firewall. Sygate Online Services is a free web site that, with your permission, probes your firewall[s] looking for vulnerabilities. And since the scan is done online, it doesn't matter what type of computer you have. Sygate Online Services can scan PCs, Macs, and *nix boxes.

Just point your web browser to

and click on the black "Scan Now" button. This starts something called the "Prescan."

Sygate prescan

The first three bits of information you'll see--your IP address, your operating system, and the name of your web browser--are [more or less] "public" information. And if you are using a hardware router with network address translation, that isn't your computer's real IP address anyway. It's your router's.

Your operating system and browser name information came from the HTTP GET packet your browser sent when it requested Sygate's web page. Don't believe me? Check out or

In other words, "There's nothing to see here. Move along."

*BUT*, if Sygate's prescan can see your computer name or the services running on your computer, your computer could potentially have a serious security problem, especially if you're running Windows.

Windows file and printer sharing

Windows comes with a built-in service called "File and Printer Sharing for Microsoft Networks." File sharing lets you make files and folders in a shared folder accessible to others on your home network to view, copy, or modify. Printer sharing lets you share a printer with all the other computers on your home network. [Check out for more information.]

Apple also offers a built-in file and printer sharing service, but it is MUCH more secure than Microsoft's.

Unless you are really careful in setting up file and printer sharing, your computer may, without your knowledge or permission, be sharing personal files stored on your computer with everyone on the internet.

How can you tell if your computer's files are visible online? Well, Sygate Online Services' prescan probes something called "port 139" on your computer to see if:

1. File and printer sharing turned on; and

2. If those shares are accessible from the internet.

Before we talk about File and Printer Sharing and port 139, let's first talk about ports.

Any port in the packet storm

Most people connect to the internet through a single wire [or antenna.] For example, your single wire for a dial up connection is a RJ-11 telephone cable. Cable modem users use a single RG-6 coaxial cable. [Yeah, I know. There are actually a bunch of wires back there. Work with me on this one.]

ALL the data that you send and receive online goes through that one [bundled] wire. But think of the different types of data that travel through that wire: Web pages, instant messages, emails, etc. How does your computer sort through all of this incoming data and forward that data to the appropriate software applications? Well, your computer uses something called "ports."

Ports don't exist in the physical world--you can't actually see or touch them. Instead, they're just "pretend" addresses inside of your computer that your computer recognizes and uses to route incoming data to the appropriate software application. For example, any data that comes into your computer from the internet addressed to port 80 is automatically forwarded to your web browser. Data addressed to port 110 is automatically forwarded to your email program, and data addressed to port 5190 is automatically sent to your AOL Instant Messenger program.

How many of these pretend addresses [or ports] are there? Officially, up to 69,536. [source:]

The potential danger of port 139

Crackers and script kiddies LOVE port 139. Why? Well, every semi- competent cracker and script kiddie has software that scans thousands of internet connections looking for Windows file and printer shares accessible through port 139. All the cracker or script kiddie has to do is map to the share and he's in. It's just as if he was sitting in front of your computer [although, in reality, he can only access the stuff that is being shared.]

Remember Sygate?

Your goal is to have Sygate Online Services tell you that it is both

1. Unable to determine your computer name; and

2. Unable to detect any running services.

If Sygate can't see your computer, neither can the crackers. But if Sygate CAN see you, it means that

  • You don't have a firewall.
  • If you do have a firewall, it either isn't working or isn't
  • properly configured.

  • File and Printer Sharing for Microsoft Networks may be sharing
  • your personal files with the entire planet.

    Fixing your firewall

    If Sygate can see your computer name or any of the services running on your computer, you NEED to fix your firewall. Check the instructions that came with your firewall to make sure you set it up correctly or visit the support section of your firewall manufacturer's web site.

    To fix the File and Printer Sharing for Microsoft Networks problem, call *BOTH* your internet Service Provider's *AND* your school's or employer's helpdesks and ask them:

    "Can you think of any reason why I SHOULDN'T disable NetBIOS over TCP/IP on my home computer?"

    If the answer is yes--if either helpdesk says you *NEED* NetBIOS over TCP/IP in order to do some important thing on their network--ask the helpdesk tech to send you a handout showing you how to secure NetBIOS from attack from people outside of the network.

    If and only if the folks at *BOTH* helpdesks tell you that they have no problem with you disabling NetBIOS over TCP/IP, nuke that bugger. You don't need it.

    Disabling NetBIOS over TCP/IP

    You can find step-by-step instructions on how to disable NetBIOS over TCP/IP at

    The first step, regardless of what version of Windows you are running, is to open Windows Explorer. Right-click on My Computer or press the Windows key and the E key at the same time.

    The rest is pretty self-explanatory.

    Wait. There's more.

    Once Sygate Online Services' prescan gives you a clean bill of health by telling you it was unable to determine your computer name and unable to detect any running services, there are four more scans you need to run.

    1. Stealth Scan 2. Trojan Scan 3. TCP Scan 4. UDP Scan

    Sygate Stealth Scan

    The Stealth Scan re-runs the prescan but uses some common cracker stealthing techniques to try to sneak past your firewall. You can find a link to the Stealth Scan on the left side of the Sygate Online Services page, or you can just go to

    Click on the black "Scan Now" button to start the 30 second scan.

    Your goal is to have the Stealth Scan tell you that all of the ports it scanned are "blocked." This means that your firewall is working perfectly. No one on the internet can see any of those ports on your computer, so [hopefully] no one on the internet can attack those ports.

    However, if Sygate tells you that a particular port is "Closed" instead of blocked, you could have a problem. Sygate is telling you that while it couldn't break into that particular port it could still see it. Remember: If a port can been seen it can be attacked. You need to IMMEDIATELY check your firewall's instructions or the manufacturer's web site to find out how to "stealth" that particular port.

    Sygate Trojan Scan

    Once you've verified that your firewall is blocking all of the common ports, you need to make sure your computer doesn't have any Trojan Horses on it. A Trojan Horse is a type of virus that masquerades as a legitimate program but actually contains a payload that can damage your computer. Many Trojan Horses also attach themselves to a particular port so that they can listen for a command from the internet telling them when to activate and unleash all living hell. In fact, take a look at

    for a list of some common Trojans and the ports to which they attach themselves

    Sygate's Trojan Scan searches through over 65,000 ports looking for Trojan Horses hiding on your computer. You can find a link to the Trojan Scan on the left side of the Sygate Online Services page, or you can just go to

    I need to warn you that if you don't have a firewall or if your firewall is not properly configured, this scan can take up to TWENTY MINUTES. But, if your firewall is working properly, there won't be anything for Sygate to scan [because Sygate can't see your computer] so Sygate will angrily give up.

    If Sygate finds a Trojan Horse on your computer,

    1. Write the name of the Trojan Horse on a piece of paper

    2. Go to and search for that Trojan's removal instructions.

    Sygate TCP Scan

    After the Trojan Scan comes the TCP Scan. Sygate tells you if any of the first 1,024 ports on your computer are both open for attack and visible to crackers. You can find a link to the TCP Scan on the left side of the Sygate Online Services page, or you can just go to

    Even if your firewall is working properly, this scan will take up to 45 minutes to complete. Thoroughness is a good thing, especially when it comes to testing your firewall[s].

    If Sygate tells you that a particular port is "Open," immediately check your firewall's instructions or the manufacturer's web site to find out how to both close and stealth that particular port.

    Sygate UDP Scan

    We've already scanned the first 1,024 TCP ports on your computer. Now let's scan the common UDP ports. You can find a link to the UDP Scan on the left side of the Sygate Online Services page, or you can just go to

    The UDP scan could take up to 20 minutes, and your goal is to have Sygate tell you your firewall is blocking UDP ports. If your firewall isn't blocking UDP ports, check your firewall's instructions or the manufacturer's web site to find out how to block UDP ports.

    ------ Done?! ------

    Once you've run all the firewall tests at Sygate Online Services you're done, right? Not exactly. To be COMPLETELY sure your firewall is protecting your computer, you really need to test your firewall one more time using a different tool: Steve Gibson's Shields Up.

    Fortunately, once you've run Sygate Online Services, you know everything you need to know in order to run Shields Up. Just point your web browser to

    and click on the "Proceed" button. Then click on the file sharing, common ports, all service ports, and messenger spam buttons to test those particular vulnerabilities.

    Oh, and if you need help figuring out how to use Shields Up, check out

    The is an online movie I recently made that shows you, step-by-step how to access and use Shields Up.

    ----- DONE! -----

    Once you've tested your firewall[s] with Sygate Online services and Shields Up--and once you've received a clean bill of health from both --you can pretty much forget about your firewall[s]. It's as squared away as it's going to get.

    Next up: Making sure you REALLY have all of the critical updates for your operating system. We'll talk about that next week.

    The Internet Tourbus - U.S. Library of Congress ISSN #1094-2239
    Copyright © Bob Rankin and Patrick Crispen - All rights reserved

    That's it. Have a safe and happy weekend, and we'll talk again soon!

               .~~~.  ))
     (\__/)  .'     )  ))       Patrick Douglas Crispen
     /o o  \/     .~
    {o_,    \    {    
      / ,  , )    \   
      `~  -' \    } ))    AOL Instant Messenger: Squirrel2K
     _(    (   )_.'
    ---..{____}                  Warning: squirrels.

    Testing Your Firewall, viruses, hoaxes, urban legends, search engines, cookies, cool sites
    TOURBUS Site Search