I"m trying to lockdown my computer and I was wondering where/what values in registry would make my windows xp computer report(nmap, xprobe, etc) as an ancient *NIX, toaster, microwave, anything other than windows device?
Printable View
I"m trying to lockdown my computer and I was wondering where/what values in registry would make my windows xp computer report(nmap, xprobe, etc) as an ancient *NIX, toaster, microwave, anything other than windows device?
That is going to be pretty damn tough to do without the source code to the OS. What you need to understand is that these days, any worthy scanner uses specific characteristics of the IP implentation of the OS to make a guess at what it is.
This includes things like how the sequence numbers are generated, windows, how it responds to a packet with certain flags, or all flags set. etc.
Just changing the banner hasn't cut it since the late 90's.
Sorry. Maybe you should just go ahead and run Linux or a BSD. That way your box will be sure to show up as a Unix flavor during port scans. :)
-- spurious
you can start with changing the TTL from 128 to 64, this is one of the first things you would look at when trying to determin the OS. but as spurious_inode already stated, there are a lot of other things you can not change like that.
i suggest you get a decent firewall which will not allow the enumeration of your system.
when it can not be pinged, scanned etc, you can also not determine the OS that is running.
I could still tell just by simply looking at you on AIM if you use it. Don't act like all you need too do is what you said and no one can tell, it's not true.Quote:
Originally posted here by White Scorpion
you can start with changing the TTL from 128 to 64, this is one of the first things you would look at when trying to determin the OS. but as spurious_inode already stated, there are a lot of other things you can not change like that.
i suggest you get a decent firewall which will not allow the enumeration of your system.
when it can not be pinged, scanned etc, you can also not determine the OS that is running.
What about the Proxomotron?
But then that is if your the client.. but if your talking server..I dunno
I have a machine that identifies itself as a Victor Lawn Mower.. running Grass Browzer 2.2.. done mainly for the wank value..
This is a sligtly roundabout route, but cant u just setup a hardware router/ firewall using an old 486? that could work..
i2c
i would like to challenge you on this, cause i do not believe you can determine correctly which OS i am using when i am at home, simply because it wouldn't give you enough info to be exactly sure... this problems you also see when using nmap, if you do not have enough info the program cannot determine which OS you are using. Ok, perhaps there are 1-2 people in the world which need very little, but i do not believe you are one of them (no offense), so lets keep it simple, and you tell me how you can determine an OS when the system has no open ports and doesn't reply to ping queries. i doubt you can. i really doubt it ...Quote:
Originally posted here by White Scorpion
you can start with changing the TTL from 128 to 64, this is one of the first things you would look at when trying to determin the OS. but as spurious_inode already stated, there are a lot of other things you can not change like that.
i suggest you get a decent firewall which will not allow the enumeration of your system.
when it can not be pinged, scanned etc, you can also not determine the OS that is running.
I could still tell just by simply looking at you on AIM if you use it. Don't act like all you need too do is what you said and no one can tell, it's not true.
.... Actually, most OS's have little quirks or other uniqe things about the way they act when you try to build a connection on a closed TCP port. Add to this the implementation specific way that a system deals with UDP pings (packets in succession to incrementing udp port... see 'ping -sU <target>' on Solaris for example) and a ballpark guess on the OS is achieved. All NT based OS's behave in a similar (and distinct from other OS's) manner to these kinds of probes.
Raw sockets, DHCP pings, ARP's, and a whole slew of other `normal' network traffic can be used to build an OS fingerprint. Point is, don't rely on stupid tricks to thwart would be attackers. Doing so falls dangerously into the category of 'security by obscurity' which plain doesn't work.
-- spurious
There are various tools on the internet for doing this with various operating systems. There are also other tweaks that can be done that make this more difficult.
While the paper below is a for a freebsd tool it explains the basics of what they are doing, why, and has related material in the references section - http://www.usenix.org/publications/l...tml/index.html
Another paper you might find useful is - http://voodoo.somoslopeor.com/papers/nmap.html
And this page has a great deal of information - http://www.l0t3k.org/security/docs/fingerprinting/
While the papers above describe linux/unix environments, similar things can be done with windows.
I wouldn't rely on this to keep things safe alone, but it can raise the bar a bit to keep some of the idiots out. (you must be at least this tall to ride this ride...)
yeah ok, but you would still have to be able to monitor the network traffic and examin the packages.Quote:
.... Actually, most OS's have little quirks or other uniqe things about the way they act when you try to build a connection on a closed TCP port. Add to this the implementation specific way that a system deals with UDP pings (packets in succession to incrementing udp port... see 'ping -sU <target>' on Solaris for example) and a ballpark guess on the OS is achieved. All NT based OS's behave in a similar (and distinct from other OS's) manner to these kinds of probes.
Raw sockets, DHCP pings, ARP's, and a whole slew of other `normal' network traffic can be used to build an OS fingerprint. Point is, don't rely on stupid tricks to thwart would be attackers. Doing so falls dangerously into the category of 'security by obscurity' which plain doesn't work.
but normally when you have just an ip with no server running (that you know of) and you aren't able to monitor traffic, (especially with an hardware firewall) i doubt it will be so easy. and that is what i was trying to say... of course when you are running a webserver it would be a lot harder to block (maybe even impossible).
Windows always has a server running. Shut down RPC and come back too me.
If you bring RPC into the light and it's varation with Java implementaitons which is RMI and add in Open Network Computing Remote Procedure Call from Sun Micro., then we are all SNOCKERED. Attempt at humor.
you got me there, i forgot about that thing.... but still it would make no difference if using a good hardware firewall since it would not let the server / service connect to the outside (if you don't want too).Quote:
Windows always has a server running. Shut down RPC and come back too me
Hardware firewalls are overrated. Our guys just spent the past 9 hours un-*****ing the network after a cisco pix HA pair **** the bed and then brought all interfaces online at the same time. Which by the way causes multiple loops in the network, which is illegal on ethernet networks....Quote:
Originally posted here by White Scorpion
yeah ok, but you would still have to be able to monitor the network traffic and examin the packages.
but normally when you have just an ip with no server running (that you know of) and you aren't able to monitor traffic, (especially with an hardware firewall) i doubt it will be so easy. and that is what i was trying to say... of course when you are running a webserver it would be a lot harder to block (maybe even impossible).
Monitor? We are talking about port scanning here aren't we. :) Scanning through firewalls is a very basic black hat skill, and anybody who doesn't know how isn't a hacker.
If I can get a MAC address, a couple of DHCP pings, and maybe a couple hundred rejected packets I can make a pretty good guess as to the hardware of the machine, and the OS.
Networking was designed to be predictable, that will always trump cheap (obscurity *)security tricks!
-- spurious
Heh, a Peer to Peer Network with Windows 2000 could be fun. Well, interesting too say the least if you can make the two machines ping each other at the exact same moment. Should crash.
I posted a trick that will make Windows 2000 Force BSOD with a regedit too do this but I'm to tired right now too look for the link. This has nothing too do with much of anything but it's more interesting than listening too some of this heh.
but getting them is the biggest problem...Quote:
If I can get a MAC address, a couple of DHCP pings, and maybe a couple hundred rejected packets I can make a pretty good guess as to the hardware of the machine, and the OS.
but like gore already pointed out, this doesn't really answer the question of the original poster anymore, and we can keep up this discussion for several pages, but eventually it will help no one i think :D
as far as i know (from a defending point of view) you can defend it and make it an attacker as hard as possible, and it seems that from your point of view you believe you could always find a way.
i have to agree with you on some parts, cause i do not believe that there is any system in the world which is unhackable (unless it has absolutely no connection to the outside world), so eventually you could perhaps find something, but i still keep my statement that with a good configuration and a good firewall you can prevent most attackers from determining your OS, of course there are always people who find a way, but luckely those are very rare ;)
i suggest we stop this discussion and leave this thread open to people who CAN help the original poster with his question.
no hard feelings tho :)
regards
White Scorpion
http://www.specter.com/
will enumerate different OS.
a little expensive though.Quote:
Current Version : 7.0
Sales inquiries : [email protected]
SPECTER
SPECTER Initial Package (incl. 1 license) US$ 899.00 Order
SPECTER Additional License US$ 399.00 Order
SPECTER Extension of Upgrade & Support Period (1 year) US$ 99.00 Order
SPECTER Light *
SPECTER Light Initial Package (incl. 1 license) US$ 599.00 Order
SPECTER Light Additional License US$ 269.00 Order
SPECTER Light Extension of Upgrade & Support Period (1 year) US$ 99.00 Order
SPECTER Light Initial Package Upgrade to full version US$ 399.00 Order
SPECTER Light Additional License Upgrade to full version US$ 149.00 Order
Anyone who would use it will either be able too afford it, or they don't pay for software wanyway. Price is never a problem with security tools.
What's the point....
If the box is secured and updated then the issue is a non-issue....
What the box "reports" is irrelevant..... What it's expolitable by is more important! The worm doesn't give a rats a$$ what the box says it is, if the port is open it will try the exploit..... Regardless of what the box "says" it is the exploit will work if the box isn't secured or patched against it....
Show me a worm that says "Self..... This box says it's a *nix box so my windows 'sploit won't work so I won't try it...."
No. they say... "OK... it responds on port X.... Ok.... fire the code and let's see what happens"
Yawn....
This stuff isn't difficult you know......
I'm starting to wonder why I come here sometimes......
yup - i agree, it's expensive. the product is for enterprise uses.Quote:
i posted to point out that there are products out there that will do it.
i think i have seen this products trial version available somewhere before. i wonder how hard it is to analyze how the product does what it does and then try to replicate it.
that wouldn't be so hard, all you need to do if monitor traffic, and understand what it is.Quote:
i think i have seen this products trial version available somewhere before. i wonder how hard it is to analyze how the product does what it does and then try to replicate it.
also you should need a database which contains the signatures of the specific OS's.
but you still would have the same problem as the discussing we were talking about, if there exists a program that can do this, you can also do it manually, so i don't believe this program can detect the OS on any computer, otherwise it would be all over the news and they would have been loaded with money due to the sales, since then they would have created the ultimate hacking tool!