December 3rd, 2005, 05:42 PM
Hiding from Nmap with pf's p0f features...
Not a big tutorial, but someting cool to try and play with...
Starting in OpenBSD 3.4, the passive os fingerprinting features of p0f were merged into PF.
While the classic example use is somewhere along, "you can now block all those 3v1l w1nd0w5 b0x3s", I find the following much more interesting:
The pf.os fingerprints file includes, besidse OS fingerprints, a set of NMAP fingerprints...
See where I'm going?
This means that with a simple rule like:
you can appear as "all ports filtered" to NMAPers, while in fact you might still have ports opened to the world!
set fingerprints "/etc/pf.os"
block in log quick on $ExtIF from any os "NMAP" to any label ExtNMAPScan
$ sudo nmap -sS -P0 firewall.domain.net
Starting nmap 3.93 ( http://www.insecure.org/nmap/ ) at 2005-12-03 11:52 EST
All 1668 scanned ports on firewall.domain.net (126.96.36.199) are: filtered
Nmap finished: 1 IP address (1 host up) scanned in 354.715 seconds
And in pflog:
$ nc firewall.domain.net 22
rule 14/(match) [uid 0, pid 5463] block in on xl1: nmap.attacker.org.37995 > firewall.domain.net.22: S [tcp sum ok] 2367615787:2367615787(0) win 1024 (ttl 44, id 3095, len 40)
rule 28/(match) [uid 0, pid 5463] pass in on xl1: nmap.attacker.org.63367 > firewall.domain.net.22: S 2465556700:2465556700(0) win 65535 <mss 1460,nop,wscale 0,nop,nop,timestamp[|tcp]> (DF) (ttl 60, id 44997, len 60)
Of course this offers no guaranties that you won't show up in other scanner tools, or even oter nmap variants, but it's still pretty cool IMHO..!
Still, you don't want to rely on such a feature for your security; consider it more like a fun thing to use to mess and confuse with novice wouldbe attackers...
Credit travels up, blame travels down -- The Boss