Methods for evading Nmap OS Fingerprinting

[bluebeard96]

Got this in my email today and though it was something a lot of you would be interested in reading.


Date: Sun, 9 Mar 2003 15:47:05 -0800
From: "Fyodor" <fyodor@insecure.org>
To: nmap-hackers@insecure.org
Subject: Methods for evading Nmap OS Fingerprinting

Most of you probably know that several software packages are available
which try to defeat Nmap OS fingerprinting. These include Honeyd, IP
Personality, the "Stealth Patch", "Fingerprint ****er", IPlog, etc.
Normally, I wouldn't recommend spending your valuable security time
trying to obscure your OS. Most companies would be better off working
on fundamental security improvements such as applying patches,
tightening their firewalls, installing IDS systems, removing
unnecessary services and setuid binaries, etc. And sometimes this
type of spoofing can actually increase security vulnerability. But OS
spoofing can be useful for certain honeynet and research applications,
or if you're just feeling bored and ornery enough to disguise
your Linux box as an Apple Laserwriter or Sega Dreamcast .

In that vein, David Barroso Berrueta (tomac@somoslopeor.com) today
announced a new paper entitled "A practical approach for defeating
Nmap OS-Fingerprinting." It is available at
http://voodoo.somoslopeor.com/papers.php and provides an excellent
examination of many of these Nmap deception tools. I certainly
recommend it for people interested in this type of thing.

Cheers,
Fyodor

--------------------------------------------------
For help using this (nmap-hackers) mailing list, send a blank email to
nmap-hackers-help@insecure.org . List run by ezmlm-idx (www.ezmlm.org).

[sweet_angel]

Thanks for that Link finally I can change my Linux OS to "telletubies" to defeat "OS Detector".
Tips for FreeBSD if you add "TCP_DROP_SYNFIN" to your kernel and then edit your your /etc/rc.conf, "they" will not know your OS.

Cheers

[Tiger Shark]

OK Sweet..... I'll Bite....<s>

Logically, if your OS is the only one to give no clue as to it's OS then clearly it must be FreeBSD.

Thoughts?

[MrLinus]

Tiger Shark said:

Logically, if your OS is the only one to give no clue as to it's OS then clearly it must be FreeBSD.

Errr. Nope. Mac does this by default. It all depends on ports open, responses given and the TCP/IP stack.

[Tiger Shark]

Ms:

Ok..... Fair comment..... But..... (there's always a "but" where I'm concerned.....<s>), what you are saying is that I have narrowed it down to 2 OS's and I might be wrong but a wild assed guess would leave me with the impression that there are less likely to be many Mac's providing public services on the internet today than FreeBSD. Of course I wouldn't simply make that assumption and fingerprinting would continue but I still think I saved myself some work against a remote machine.

Personally, I think camoflaging your OS is giving one a false sense of security in so far as it will only take a little longer to work it out. However, if you then don't pay proper attention to the other little details like ACL's, proper placement of security assets, patches...<Duh> etc. etc. etc. then you are still equally vulnerable as a system that advertises itself and remains vulnerable.

I have never tried to hide my OS. I did give it thought but decided that the work was not worth the eventual benefit and it only requires a _tiny_ little error to give away the system and that tiny little error is too easy to make. I am happily advertising my OS and get a certain amount of, shall we say, satisfaction from knowing that while someone is hammering away at my system they are not knocking on the door of some other system that is, dare I say....<s>, less well managed and defended......

[MrLinus]

Maybe two oses and maybe more. I've seen problems with Windows ME as well as some linuxes. It could be quite a broad range. While obscuring the OS fingerprint isn't the be-all-end-all for security, it should be part of the security concepts. The less an attacker knows about your box(es), less his/her chances of breaking in are. He/she will have to work to figure out what vulnerabilities you have rather than you just giving him the answer by having a set footprint.

You are right that proper ACLs and other configurations should have presidence but I would look at this as being part of how I'd setup a box. I'm not about to make it easier for the attacker. If he/she wants to get in, they better work for it and prove to me that they are worthy of getting in.

[Tiger Shark]

I dunno Ms..... With all the differences in the TCP/IP implementations and all the different ways someone could interrogate it there will always be something a little different that will give away the OS. Heck, do you go back and check all the possible interrogation methods each time you do major patches to ensure that they haven't messed with the implementation.... Probably not..... but if they have then you're back to broadcasting it for the world to see. That's my point about "bang for the buck" so to speak. For the amount of work required to truly ensure that you are completely masked from the fingerprinter I feel my time can be better spent making sure that I am up to date and that I am careful about watching for suspicious connections.

But that's my 2c and half the time it isn't worth that much.....

[tampabay420]

----[ 4 - Stealth Kernel Patch

URL : http://packetstormsecurity.org/UNIX/...tealth.diff.gz
Author : Sean Trifero <sean[at]innu.org>
Comment : The Stealth Kernel Patch for Linux v2.2.22 makes the linux kernel
discard the packets that many OS detection tools use to query the
TCP/IP stack. Includes logging of the dropped query packets and
packets with bogus flags. Does a very good job of confusing nmap
and queso.

taken from phrack.org tools armory (packetstorm) article.

[Tiger Shark]

Tampa: You got that for windows too? How about FreeBSD, MAC etc. etc. etc.

Furthermore, "a good job of" is not perfect.... It "confuses" NMAP and Queso..... OK.... I'll run with that.... Does it also confuse the person sat behind those apps. One who captures the entire packet stream and looks it over for himself too?

Back to my "bang for the buck" point..... Time and effort against effect. I don't believe that maintaining a perfect camoflage job is not drawing one away from other more pressing tasks. Implementing this system to do a "good job" is no guarantee that your OS is really hidden there are other factors to take into account like the web server etc. My time is better spent elsewhere...... That's my story..... and I'm sticking to it....

[nebulus200]

I would also like to add that if the person performing the nmap OS detection scan passes through proxies (like a proxying firewall or a reverse proxy server), if it detects an OS at all (which some firewalls are better at hiding that others) it will typically detect the OS of the firewall, not the server. This has to do with how Fyodor checks the various TCP/IP header fields and their variances and responses to abnormalities to determine the underlying OS that is controling the TCP/IP stack...Since the proxying firewall substitutes most, if not all, of these fields from the original packets, it makes it difficult at best to determine the OS of the system behind it, especially if used in conjunction with banner manipulation on the server behind the proxy...

And while I agree that this should not be your only line of defense, I would have to object to this being security through obscurity. Most vulnerabilities or overflows target are very specific to OS's and very specific to architectures, and if used in conjunction with other security layers (firewalls, IDS, etc), can make you a tougher target to be had...and greatly increase the liklihood of catching the attacker...

/nebulus