hacking contest

hacking exploits security forum
hacking
compliance articles
upgrade backup exec
information security consultant
Help - Search - Member List - Calendar
GovernmentSecurity.org > System Security > Linux & Unix Systems
Dillinja
Aug 16 2003, 10:36 PM
QUOTE
The purpose of this paper is to try to enumerate and briefly describe all applications and technics deployed for defeating Nmap OS Fingerprint, but in any case, security by obscurity is not good approach; it can be a good security measure but please take into account that is more important to have a tight security environment.


Now this is a really interesting subject. Ive always been in awe at Nmaps ability to establish OS systems, but the procedure to fool Nmap has me enthralled (as does the word "enthralled" hehe).

Heres a link to a paper Ive found on the subject: http://voodoo.somoslopeor.com/papers/nmap.html

Also, a detailed paper in defeating TCP/IP stack fingerprinting:http://www.usenix.org/publications/library...html/index.html

Check the download section for IPPersonaltiy d/l.
packet
Aug 17 2003, 02:16 AM
I love this! It works too, we had an external audit group come in and I set my machine up to pretend it was a dreamcast machine. They came running around looking for a dreamcast machine but coulnd't find one, I finally came clean at the end of the day.

AND I didn't even lose my job! But mostly cause folks thought it was humerous. But there was certainly a bunch of hand slapping that went on afterwards.

-P.G.
shaun2k2
Aug 17 2003, 08:02 AM
Sweet! Nice post dillinja!

There is also a way to block ping probes, I'll post it when I remember smile.gif.

-Shaun.

Dillinja
Aug 17 2003, 08:49 AM
Although, if Nmap reports back a dreamcast, you would get quite suspicious that anyone is still playing one of those, let alone networking one!

I wonder if Xboxs tcp/ip stack implementation is published anywhere...now that would be fun!
archphase
Aug 20 2003, 09:39 PM
lots of Honeypots hit at the IP Stack to spoof the OS. It's really an intresting and complex topic, thanks for bringing it up smile.gif
Mouhahaha
Oct 14 2003, 12:01 PM
em i check the sitez, and there are only linux versions... is there a way to enjoy this nice tool under windows ?
FLW
Oct 14 2003, 07:06 PM
QUOTE
Although, if Nmap reports back a dreamcast, you would get quite suspicious that anyone is still playing one of those, let alone networking one!


In my opinion, both Nmap and Netcat are poor choices for fringerprinting a OS since I've seen them be wrong more than right. Like NT is not win2k nor XP etc...

The only way to clearly ID an OS is analysis of the ip packets.
coder
Oct 14 2003, 08:53 PM
good one dillinja! i too have found OS recognition fun and even sometimes exciting, lol wink.gif

if yer a linux buff, might want to check out some of the stealth kernel patches... in BSD you can sometimes DROP_SYNFIN to confuse nmap (although that's an old trick- and with the release of nmap 3.48 wink.gif who knows)

should we not assemle a small team to start scouting out OS fingerprintS? a very interesting subject, indeed dry.gif
Dillinja
Oct 15 2003, 09:52 AM
Another method Ive come across, is to use TARPITSs to open all services so a port scan will show all 60k+ ports open, confusing most OS scanners as they dont expecting so many replies, although recent versions of Nmap can recognise tarpitted ports.
Also, finding a valid open service would be like looking for a needle in a haystack. Although, if an attacker was very determined, he would still find services.

http://forums.governmentsecurity.org/index...?showtopic=1708
coder
Oct 15 2003, 11:48 AM
yeah, i see these tarpits a lot... funny, they always seem to be at the low end of the subnet range (right where most w0rms would start...)

here is an example Nmap of a tarpit (or what i believe to be a tarpit like sys...)
CODE

Host ***.92.101.2 appears to be up ... good.
Initiating SYN Stealth Scan against ***.92.101.2 at 09:27
Adding open port 80/tcp
Adding open port 21/tcp
Adding open port 22/tcp
The SYN Stealth Scan took 47 seconds to scan 1176 ports.
For OSScan assuming that port 21 is open and port 23 is closed and neither are firewalled
Interesting ports on ***.92.101.2:
(The 590 ports scanned but not shown below are in state: closed)
Port       State       Service
1/tcp      filtered    tcpmux
2/tcp      filtered    compressnet
3/tcp      filtered    compressnet
5/tcp      filtered    rje
7/tcp      filtered    echo
9/tcp      filtered    discard
11/tcp     filtered    systat
13/tcp     filtered    daytime
15/tcp     filtered    netstat
17/tcp     filtered    qotd
18/tcp     filtered    msp
19/tcp     filtered    chargen
20/tcp     filtered    ftp-data
21/tcp     open        ftp
22/tcp     open        ssh
24/tcp     filtered    priv-mail
27/tcp     filtered    nsw-fe
29/tcp     filtered    msg-icp
31/tcp     filtered    msg-auth
33/tcp     filtered    dsp
35/tcp     filtered    priv-print

[  I have truncated the output... ]

80/tcp     open        http
800/tcp    filtered    mdbs_daemon
801/tcp    filtered    device
871/tcp    filtered    supfilesrv
873/tcp    filtered    rsync
888/tcp    filtered    accessbuilder
898/tcp    filtered    sun-manageconsole
901/tcp    filtered    samba-swat
950/tcp    filtered    oftep-rpc
953/tcp    filtered    rndc
975/tcp    filtered    securenetpro-sensor
989/tcp    filtered    ftps-data
990/tcp    filtered    ftps
992/tcp    filtered    telnets
993/tcp    filtered    imaps
994/tcp    filtered    ircs
995/tcp    filtered    pop3s
996/tcp    filtered    xtreelic
997/tcp    filtered    maitrd
998/tcp    filtered    busboy
999/tcp    filtered    garcon
1000/tcp   filtered    cadlock
1008/tcp   filtered    ufsd
1023/tcp   filtered    netvenuechat
2049/tcp   filtered    nfs
6000/tcp   filtered    X11
6001/tcp   filtered    X11:1
6002/tcp   filtered    X11:2
6003/tcp   filtered    X11:3
6004/tcp   filtered    X11:4
6005/tcp   filtered    X11:5
6006/tcp   filtered    X11:6
6007/tcp   filtered    X11:7
6008/tcp   filtered    X11:8
6009/tcp   filtered    X11:9
7100/tcp   filtered    font-service
Remote operating system guess: Linux Kernel 2.4.0 - 2.5.20
OS Fingerprint:
TSeq(Class=RI%gcd=1%SI=320196%IPID=Z%TS=100HZ)
T1(Resp=Y%DF=Y%W=16A0%ACK=S++%Flags=AS%Ops=MNNTNW)
T2(Resp=N)
T3(Resp=Y%DF=Y%W=16A0%ACK=S++%Flags=AS%Ops=MNNTNW)
T4(Resp=Y%DF=Y%W=0%ACK=O%Flags=R%Ops=)
T5(Resp=Y%DF=Y%W=0%ACK=S++%Flags=AR%Ops=)
T6(Resp=Y%DF=Y%W=0%ACK=O%Flags=R%Ops=)
T7(Resp=Y%DF=Y%W=0%ACK=S++%Flags=AR%Ops=)
PU(Resp=Y%DF=N%TOS=C0%IPLEN=164%RIPTL=148%RID=E%RIPCK=E%UCK=E%ULEN=134%DAT=E)

Uptime 3.442 days (since Tue Sep 30 22:51:22 2003)
TCP Sequence Prediction: Class=random positive increments
                        Difficulty=3277206 (Good luck!)
TCP ISN Seq. Numbers: 57B04FDD 57DA0F7D 586B1DC5 585ACCBC 58715772 587BFE1A
IPID Sequence Generation: All zeros
Tomas-S
Oct 24 2003, 01:39 PM
Is it possible to make windows 2000 fool nmap too?

Or is it possible with Ms ISA server 2000?
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.
 
Invision Power Board © 2001-2005 Invision Power Services, Inc.