Methods for evading Nmap OS Fingerprinting

Printable View

March 10th, 2003, 08:15 AM
bluebeard96

Methods for evading Nmap OS Fingerprinting

Got this in my email today and though it was something a lot of you would be interested in reading.

Date: Sun, 9 Mar 2003 15:47:05 -0800
From: "Fyodor" <[email protected]>
To: [email protected]
Subject: Methods for evading Nmap OS Fingerprinting

Most of you probably know that several software packages are available
which try to defeat Nmap OS fingerprinting. These include Honeyd, IP
Personality, the "Stealth Patch", "Fingerprint ****er", IPlog, etc.
Normally, I wouldn't recommend spending your valuable security time
trying to obscure your OS. Most companies would be better off working
on fundamental security improvements such as applying patches,
tightening their firewalls, installing IDS systems, removing
unnecessary services and setuid binaries, etc. And sometimes this
type of spoofing can actually increase security vulnerability. But OS
spoofing can be useful for certain honeynet and research applications,
or if you're just feeling bored and ornery enough to disguise
your Linux box as an Apple Laserwriter or Sega Dreamcast :).

In that vein, David Barroso Berrueta ([email protected]) today
announced a new paper entitled "A practical approach for defeating
Nmap OS-Fingerprinting." It is available at
http://voodoo.somoslopeor.com/papers.php and provides an excellent
examination of many of these Nmap deception tools. I certainly
recommend it for people interested in this type of thing.

Cheers,
Fyodor

--------------------------------------------------
For help using this (nmap-hackers) mailing list, send a blank email to
[email protected] . List run by ezmlm-idx (www.ezmlm.org).
March 10th, 2003, 09:52 AM
sweet_angel

Thanks for that Link finally I can change my Linux OS to "telletubies" to defeat "OS Detector".
Tips for FreeBSD if you add "TCP_DROP_SYNFIN" to your kernel and then edit your your /etc/rc.conf, "they" will not know your OS.

Cheers
March 10th, 2003, 11:52 AM
Tiger Shark

OK Sweet..... I'll Bite....<s>

Logically, if your OS is the only one to give no clue as to it's OS then clearly it must be FreeBSD.

Thoughts?
March 10th, 2003, 12:03 PM
MrLinus

Tiger Shark said:

Quote:

Logically, if your OS is the only one to give no clue as to it's OS then clearly it must be FreeBSD.

Errr. Nope. Mac does this by default. It all depends on ports open, responses given and the TCP/IP stack.
March 10th, 2003, 01:49 PM
Tiger Shark

Ms:

Ok..... Fair comment..... But..... (there's always a "but" where I'm concerned.....<s>), what you are saying is that I have narrowed it down to 2 OS's and I might be wrong but a wild assed guess would leave me with the impression that there are less likely to be many Mac's providing public services on the internet today than FreeBSD. Of course I wouldn't simply make that assumption and fingerprinting would continue but I still think I saved myself some work against a remote machine.

Personally, I think camoflaging your OS is giving one a false sense of security in so far as it will only take a little longer to work it out. However, if you then don't pay proper attention to the other little details like ACL's, proper placement of security assets, patches...<Duh> etc. etc. etc. then you are still equally vulnerable as a system that advertises itself and remains vulnerable.

I have never tried to hide my OS. I did give it thought but decided that the work was not worth the eventual benefit and it only requires a _tiny_ little error to give away the system and that tiny little error is too easy to make. I am happily advertising my OS and get a certain amount of, shall we say, satisfaction from knowing that while someone is hammering away at my system they are not knocking on the door of some other system that is, dare I say....<s>, less well managed and defended...... ;)
March 10th, 2003, 01:56 PM
MrLinus

Maybe two oses and maybe more. I've seen problems with Windows ME as well as some linuxes. It could be quite a broad range. While obscuring the OS fingerprint isn't the be-all-end-all for security, it should be part of the security concepts. The less an attacker knows about your box(es), less his/her chances of breaking in are. He/she will have to work to figure out what vulnerabilities you have rather than you just giving him the answer by having a set footprint.

You are right that proper ACLs and other configurations should have presidence but I would look at this as being part of how I'd setup a box. I'm not about to make it easier for the attacker. If he/she wants to get in, they better work for it and prove to me that they are worthy of getting in.
March 10th, 2003, 02:16 PM
Tiger Shark

I dunno Ms..... With all the differences in the TCP/IP implementations and all the different ways someone could interrogate it there will always be something a little different that will give away the OS. Heck, do you go back and check all the possible interrogation methods each time you do major patches to ensure that they haven't messed with the implementation.... Probably not..... but if they have then you're back to broadcasting it for the world to see. That's my point about "bang for the buck" so to speak. For the amount of work required to truly ensure that you are completely masked from the fingerprinter I feel my time can be better spent making sure that I am up to date and that I am careful about watching for suspicious connections.

But that's my 2c and half the time it isn't worth that much..... ;)
March 10th, 2003, 02:25 PM
tampabay420

----[ 4 - Stealth Kernel Patch

URL : http://packetstormsecurity.org/UNIX/...tealth.diff.gz
Author : Sean Trifero <sean[at]innu.org>
Comment : The Stealth Kernel Patch for Linux v2.2.22 makes the linux kernel
discard the packets that many OS detection tools use to query the
TCP/IP stack. Includes logging of the dropped query packets and
packets with bogus flags. Does a very good job of confusing nmap
and queso.

taken from phrack.org tools armory (packetstorm) article.
March 10th, 2003, 03:05 PM
Tiger Shark

Tampa: You got that for windows too? How about FreeBSD, MAC etc. etc. etc.

Furthermore, "a good job of" is not perfect.... It "confuses" NMAP and Queso..... OK.... I'll run with that.... Does it also confuse the person sat behind those apps. One who captures the entire packet stream and looks it over for himself too?

Back to my "bang for the buck" point..... Time and effort against effect. I don't believe that maintaining a perfect camoflage job is not drawing one away from other more pressing tasks. Implementing this system to do a "good job" is no guarantee that your OS is really hidden there are other factors to take into account like the web server etc. My time is better spent elsewhere...... That's my story..... and I'm sticking to it.... ;)
March 10th, 2003, 03:54 PM
nebulus200

I would also like to add that if the person performing the nmap OS detection scan passes through proxies (like a proxying firewall or a reverse proxy server), if it detects an OS at all (which some firewalls are better at hiding that others) it will typically detect the OS of the firewall, not the server. This has to do with how Fyodor checks the various TCP/IP header fields and their variances and responses to abnormalities to determine the underlying OS that is controling the TCP/IP stack...Since the proxying firewall substitutes most, if not all, of these fields from the original packets, it makes it difficult at best to determine the OS of the system behind it, especially if used in conjunction with banner manipulation on the server behind the proxy...

And while I agree that this should not be your only line of defense, I would have to object to this being security through obscurity. Most vulnerabilities or overflows target are very specific to OS's and very specific to architectures, and if used in conjunction with other security layers (firewalls, IDS, etc), can make you a tougher target to be had...and greatly increase the liklihood of catching the attacker...

/nebulus
March 10th, 2003, 03:59 PM
neel

If you just secure your network or you computer good, with a nice firewall or router or whatever, you come far enough to fake a different os. Some while back I had a gentoo box. Nmap identified it as a cisco router.
March 10th, 2003, 04:48 PM
bluebeard96

I think we'd all agree that a system can't be 100% secure, just as its identity cannot be 100% hidden. Doing a "pretty good job" is a lot better than doing NO job of obscuring the true identity. Is there someone that will dig deeper to successfully fingerprint your system? Sure. Are you gonna fool a lot of newbies that won't have what it takes to dig deeper? Yep.

Bottom line is that this is one of a multitude of things you should be doing to protect your system. Heck, the 1st sentence in the link I posted states this...

Quote:

The purpose of this paper is to try to enumate and briefly describe all applications and technics deployed for defeating Nmap OS Fingerprint, but in any case, security by obscurity is not good approach; it can be a good security measure but please take into account that is more important to have a tight security environment (patches, firewalls, ids, ...) than hiding your OS.
March 24th, 2003, 05:46 PM
ponga

I believe a paraphrase of an old quote to nations can be of help in this matter, as I believe it holds merit for other entities and individuals as a guide for allocation of resources; that is, when security is valued over liberty, one will have neither.
March 24th, 2003, 08:34 PM
daxmax

Just to add to the Convo this doc is specifically for the *Nix flavor of servers, nonetheless, you can hide your identity (somewhat) on M$ with tools like ServerMask or by directly modifying one of the Servers DLL (can't remember the name of it at the moment).

http://www.port80software.com/suppor...rwebserver.asp

They also right a half decent article on what to look out for if you want your server to be more "generic".