Methods for evading Nmap OS Fingerprinting
Page 1 of 2 12 LastLast
Results 1 to 10 of 14

Thread: Methods for evading Nmap OS Fingerprinting

  1. #1
    Senior Member
    Join Date
    Nov 2002
    Posts
    174

    Methods for evading Nmap OS Fingerprinting

    Got this in my email today and though it was something a lot of you would be interested in reading.


    Date: Sun, 9 Mar 2003 15:47:05 -0800
    From: "Fyodor" <fyodor@insecure.org>
    To: nmap-hackers@insecure.org
    Subject: Methods for evading Nmap OS Fingerprinting

    Most of you probably know that several software packages are available
    which try to defeat Nmap OS fingerprinting. These include Honeyd, IP
    Personality, the "Stealth Patch", "Fingerprint ****er", IPlog, etc.
    Normally, I wouldn't recommend spending your valuable security time
    trying to obscure your OS. Most companies would be better off working
    on fundamental security improvements such as applying patches,
    tightening their firewalls, installing IDS systems, removing
    unnecessary services and setuid binaries, etc. And sometimes this
    type of spoofing can actually increase security vulnerability. But OS
    spoofing can be useful for certain honeynet and research applications,
    or if you're just feeling bored and ornery enough to disguise
    your Linux box as an Apple Laserwriter or Sega Dreamcast .

    In that vein, David Barroso Berrueta (tomac@somoslopeor.com) today
    announced a new paper entitled "A practical approach for defeating
    Nmap OS-Fingerprinting." It is available at
    http://voodoo.somoslopeor.com/papers.php and provides an excellent
    examination of many of these Nmap deception tools. I certainly
    recommend it for people interested in this type of thing.

    Cheers,
    Fyodor

    --------------------------------------------------
    For help using this (nmap-hackers) mailing list, send a blank email to
    nmap-hackers-help@insecure.org . List run by ezmlm-idx (www.ezmlm.org).
    Mike Reilly
    bluebeard96@yahoo.com

  2. #2
    Senior Member
    Join Date
    Aug 2002
    Posts
    508
    Thanks for that Link finally I can change my Linux OS to "telletubies" to defeat "OS Detector".
    Tips for FreeBSD if you add "TCP_DROP_SYNFIN" to your kernel and then edit your your /etc/rc.conf, "they" will not know your OS.

    Cheers
    Not an image or image does not exist!
    Not an image or image does not exist!

  3. #3
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    OK Sweet..... I'll Bite....<s>

    Logically, if your OS is the only one to give no clue as to it's OS then clearly it must be FreeBSD.

    Thoughts?
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  4. #4
    Just a Virtualized Geek MrLinus's Avatar
    Join Date
    Sep 2001
    Location
    Redondo Beach, CA
    Posts
    7,324
    Tiger Shark said:

    Logically, if your OS is the only one to give no clue as to it's OS then clearly it must be FreeBSD.
    Errr. Nope. Mac does this by default. It all depends on ports open, responses given and the TCP/IP stack.
    Goodbye, Mittens (1992-2008). My pillow will be cold without your purring beside my head
    Extra! Extra! Get your FREE copy of Insight Newsletter||MsMittens' HomePage

  5. #5
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    Ms:

    Ok..... Fair comment..... But..... (there's always a "but" where I'm concerned.....<s>), what you are saying is that I have narrowed it down to 2 OS's and I might be wrong but a wild assed guess would leave me with the impression that there are less likely to be many Mac's providing public services on the internet today than FreeBSD. Of course I wouldn't simply make that assumption and fingerprinting would continue but I still think I saved myself some work against a remote machine.

    Personally, I think camoflaging your OS is giving one a false sense of security in so far as it will only take a little longer to work it out. However, if you then don't pay proper attention to the other little details like ACL's, proper placement of security assets, patches...<Duh> etc. etc. etc. then you are still equally vulnerable as a system that advertises itself and remains vulnerable.

    I have never tried to hide my OS. I did give it thought but decided that the work was not worth the eventual benefit and it only requires a _tiny_ little error to give away the system and that tiny little error is too easy to make. I am happily advertising my OS and get a certain amount of, shall we say, satisfaction from knowing that while someone is hammering away at my system they are not knocking on the door of some other system that is, dare I say....<s>, less well managed and defended......
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  6. #6
    Just a Virtualized Geek MrLinus's Avatar
    Join Date
    Sep 2001
    Location
    Redondo Beach, CA
    Posts
    7,324
    Maybe two oses and maybe more. I've seen problems with Windows ME as well as some linuxes. It could be quite a broad range. While obscuring the OS fingerprint isn't the be-all-end-all for security, it should be part of the security concepts. The less an attacker knows about your box(es), less his/her chances of breaking in are. He/she will have to work to figure out what vulnerabilities you have rather than you just giving him the answer by having a set footprint.

    You are right that proper ACLs and other configurations should have presidence but I would look at this as being part of how I'd setup a box. I'm not about to make it easier for the attacker. If he/she wants to get in, they better work for it and prove to me that they are worthy of getting in.
    Goodbye, Mittens (1992-2008). My pillow will be cold without your purring beside my head
    Extra! Extra! Get your FREE copy of Insight Newsletter||MsMittens' HomePage

  7. #7
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    I dunno Ms..... With all the differences in the TCP/IP implementations and all the different ways someone could interrogate it there will always be something a little different that will give away the OS. Heck, do you go back and check all the possible interrogation methods each time you do major patches to ensure that they haven't messed with the implementation.... Probably not..... but if they have then you're back to broadcasting it for the world to see. That's my point about "bang for the buck" so to speak. For the amount of work required to truly ensure that you are completely masked from the fingerprinter I feel my time can be better spent making sure that I am up to date and that I am careful about watching for suspicious connections.

    But that's my 2c and half the time it isn't worth that much.....
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  8. #8
    Senior Member tampabay420's Avatar
    Join Date
    Aug 2002
    Posts
    953
    ----[ 4 - Stealth Kernel Patch

    URL : http://packetstormsecurity.org/UNIX/...tealth.diff.gz
    Author : Sean Trifero <sean[at]innu.org>
    Comment : The Stealth Kernel Patch for Linux v2.2.22 makes the linux kernel
    discard the packets that many OS detection tools use to query the
    TCP/IP stack. Includes logging of the dropped query packets and
    packets with bogus flags. Does a very good job of confusing nmap
    and queso.

    taken from phrack.org tools armory (packetstorm) article.
    yeah, I\'m gonna need that by friday...

  9. #9
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    Tampa: You got that for windows too? How about FreeBSD, MAC etc. etc. etc.

    Furthermore, "a good job of" is not perfect.... It "confuses" NMAP and Queso..... OK.... I'll run with that.... Does it also confuse the person sat behind those apps. One who captures the entire packet stream and looks it over for himself too?

    Back to my "bang for the buck" point..... Time and effort against effect. I don't believe that maintaining a perfect camoflage job is not drawing one away from other more pressing tasks. Implementing this system to do a "good job" is no guarantee that your OS is really hidden there are other factors to take into account like the web server etc. My time is better spent elsewhere...... That's my story..... and I'm sticking to it....
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  10. #10
    Jaded Network Admin nebulus200's Avatar
    Join Date
    Jun 2002
    Posts
    1,356
    I would also like to add that if the person performing the nmap OS detection scan passes through proxies (like a proxying firewall or a reverse proxy server), if it detects an OS at all (which some firewalls are better at hiding that others) it will typically detect the OS of the firewall, not the server. This has to do with how Fyodor checks the various TCP/IP header fields and their variances and responses to abnormalities to determine the underlying OS that is controling the TCP/IP stack...Since the proxying firewall substitutes most, if not all, of these fields from the original packets, it makes it difficult at best to determine the OS of the system behind it, especially if used in conjunction with banner manipulation on the server behind the proxy...

    And while I agree that this should not be your only line of defense, I would have to object to this being security through obscurity. Most vulnerabilities or overflows target are very specific to OS's and very specific to architectures, and if used in conjunction with other security layers (firewalls, IDS, etc), can make you a tougher target to be had...and greatly increase the liklihood of catching the attacker...

    /nebulus
    There is only one constant, one universal, it is the only real truth: causality. Action. Reaction. Cause and effect...There is no escape from it, we are forever slaves to it. Our only hope, our only peace is to understand it, to understand the 'why'. 'Why' is what separates us from them, you from me. 'Why' is the only real social power, without it you are powerless.

    (Merovingian - Matrix Reloaded)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •