Slashdot Mirror
Fooling NMAP for Whatever Reason
taviso writes "Are you bored with your OS fingerprint? Do you dream of being able to impress your friends by convincing them your webserver is running on a sega dreamcast, or Apple LaserWriter? Well Dream no more! David Berrueta has written a paper oulining the techniques and tools available to defeat nmap's OS fingerprinting, available here [pdf]. Besides the hours of entertainment this could provide, he also lists some of the more serious reasons why you might want to consider this."
I could just see slashdot running on a Trash - 80. .
Modular Redundancy--Because 4 out of 5 Nodes agree
On my atari!
...to see the first time some hacker scans my network to see that every server is running off a Dreamcast. Wouldn't that be funny if that became the secure standard? Every TCP/IP fingerprint returns "Sega Dreamcast". Wouldn't be a huge security boost, but it would help slow down the process of choosing a system to try and break. And the stupid kids who think they're hackers would probably just move on.
Many servers hosting the web site of the US armed forces don't seem to be running the OS they are claiming to run. However, this *could* also be the result of some sort of load balancing.
I've seriouly been looking for this for my home box. Of course its only part of the way of hiding the real OS your running. One part of eunermation is to look at the banners that network servers show. For example telneting to my home box
:). So changing these as well could give those l33t script kiddies some fun :)
[rghf@localhost rghf]$ telnet foo.wibble 22
Trying foo.wibble...
Connected to foo.wibble
Escape character is '^]'.
SSH-2.0-OpenSSH_3.4p1 Debian 1:3.4p1-1
Shows I'm running debian (or am I?
Rus
Cheap UK and US VPS
Well, this proves that it doesn't matter what OS fingerprint you have, you can still get slashdotted...
(But not before I d/led it to my local machine first!)
Well I'm strongly against security through obscurity as a security infrastructure. However, as long as you have a solid, proven security infrastructure protecting your enviornment then adding a bit of obscurity over the top as an added layer can only be benefitial.
If I know that I've done everything to protect my x86 Linux box from an attack if the attacker already knows it's an x86 Linux box, what distro it's running, has access to my network (assuming the attacker is an employee) etc. then why not make it so that script kiddies will think it's a commodore 64 and will try and exploit it as so?
Though security through obscurity is not a good idea as the only form of protection, it can add another blanket of support and I'm all for that as long as you understand what you're doing and why.
Why emulate the IP stack when with the pattented /. effect you can make any webserver look like it actualy is an apple printer.
:)
11 posts and already my browser is in for the long night.
Personaly I would have thought setting a couple of reserved bits in the header at random and change the telnet banner to "my other system is a skoda" and I suspect your will be just as well of
The folks at netcraft use these kinds of techniques for getting their server stats. Modifying the TCP/IP stack will screw up their stats collection :(
OS fingerprinting is dying!
(sorry. someone had to...)
Well, not me personally. But what do you think Microsoft has been doing all the years? Considering how stable their site is (and taking into account the humongous crash when they tried to move Hotmail onto WinNT), I'm convinced that they've been running the whole MSN network on Unix-based servers, disguising them as Windows ;)
$x='S24;r)>63/* h@<5+oZ)32"5cz';$me='phroggy'x$];
$x=~y+ -xz+\0-Tx+;print$_^chop$me for split'',$x;
Quoting from "Microsoft IIS 5 Administration" ) pp 52) ...
Longwinded way of saying Unix/Linux is percieved as being harder to crack. :)
Do you even lift?
These aren't the 'roids you're looking for.
A lot of sites have to eat their own dogfood, like hotmail. Now they needn't any longer. If they can change their fingerprint, they can run linux and make it look like they're running NT. (They used to run FreeBSD earlier.)
If you want to change that, just edit the /etc/issue and /etc/issue.net files.
But we gotta be more serious than that.
.sigs are useless; it doesn't protect you from imposters.
to be a ninja is to decieve;
For The Best Jazz/Hip-hop fusion > COlD DUCK
Compy 386
Someone thought about OS fingerprint obfuscating a while ago... http://ippersonality.sourceforge.net/
I believe IP Personality was there first.
(Unfortunately I can't get to the linked story at the moment to confirm this.)
I want to drag this out as long as possible. Bring me my protractor.
Yessiirreee,
I'm servin' mah HTTP files from this here ol' guitar and my FTP files from an empty bottle-a-booze.
And this post, yes HTTP_REFERER was from the ol' cadillac factory I once worked at; the one where I snagged my dancin' machine car one peice at a time over twenty or some number of years-*HICUP*
-SlashdotTroll (because slashdot don't like me, my karma is terrible, and at -1 they only let me post twice in 24hours from this ol' Folsom prison I'm stuck in.)
s/interesting/idiotic/
... a story i heard a while back regarding script kiddies.
some researchers set up a unix server, went into a script kiddies irc channel and said they found this wide open windows box, saying it contained credit card numbers or something like that, giving the ip of their honeypot.
not one kiddie tried a unix sploit on the box, 100% of the attempts were exploits designed for windows.
so for fooling nmap, if you're a security admin, set up your windows boxen with unix fingerprints and vice/versa, and you'll at least avoid getting r00ted by most script kiddies. just continue to be aware of the dedicated cracker whose above the ranks of kiddies.
The One Rule Of Chess You'll Ever Need: Don't play someone who carries a kit in their bookbag.
Here.
:-X
Please mod this down so I don't get slashdotted too badly.
$x='S24;r)>63/* h@<5+oZ)32"5cz';$me='phroggy'x$];
$x=~y+ -xz+\0-Tx+;print$_^chop$me for split'',$x;
I've seen very few portscans against any of my internet connected boxes. The usual unsolicited connection attempts tend to be for well-known exploits (18 months ago, port 111 was *really* popular with several attempts a day). I'm not really sure whether it's worth the effort going out of your way to do things to change the OS fingerprint that nmap comes up with (even under good conditions, I've never found nmap's fingerprint particularly reliable or accurate anyway)
Oolite: Elite-like game. For Mac, Linux and Windows
If their computers start lying about their OS and software installed then the BSA will invade them and stick 100 lawyers on their head before you can say "Nmap"
A caveman dreams of being us, the incalculable power and riches. We dream of being Q, then what?
Caen yuo teach me h0w I can maek peopol think me computaR is running oin teh nitendo gammecube?
Disgruntled.
Any level of additional security, brought about by "lying" or "fooling" is a great thing. After all, nobody needs to know your OS except you. But my opinion is that people should keep their faked responses within the realm of reason. No Sega Dreamcasts, no TI calculators, no Epson Dot Matrix LQ-2170 printers... If you lie, it must be a believable lie or it will be transparently obvious and the h4x0r will figure it out instantly. And that's not a security boon at all.
Takes a completely different approach to what I was thinking - I was thinking of doing it all in userspace. Run some daemon that uses libpcap and "responds" to certain ports like a real machine. Basically means a TCP stack in userspace, so it's not a trivial undertaking but still lots of fun. I was also thinking of making it use nmap's own configuration files so you can simply specify what OS you want it to look like and it looks up the params in the config file. Only disadvantage is that you want it to pass "real" packets in to the kernel for normal processing so this is only useful in limited situations (when you can firewall a machine off completely from the Internet and only need it to serve up something within your organization). I was also considering writing something that uses FreeBSD's divert sockets since you could integrate that nicely with your firewall, but it wouldn't be as portable as the other approach (which would work wherever pcap works).
Anyway, this has been done. The paper seems slashdotted so I can't read it.
From the Netcraft FAQ:
Why do you report impossible operating system/server combinations ?
Webservers that operate behind a caching system, load balancer, reverse proxy server or a firewall may sometimes report the operating system of the intermediate machine. Hence reports of 'Microsoft/IIS on Linux' may indicate that either the web server is behind a Linux server that is acting as a reverse proxy, or has configured the Akamai caching system such that the first request to the site goes to one of Akamai's servers [which run Linux], or as in the case of www.walmart.com has been configured to send a misleading signature.
Dunno. The foot vote seems to hold that, warts and all, the USA ain't so bad.
Seen a lot of the world. Two observations:
a) People are more or less the same
b) Overall, the USA, like a sore penis, can't be beat.
People who scan my servers get their routes dropped. Why would I want to fool them for being fools and scanning my servers?
Oppression is never wrong if you are not on the side of the oppressor.
1)Kill a raghead for cheap gas!
2)Use their turbans as wicks for the fires of the corporation known as capitalism!
3)????
4) PROFIT!
You've probably already read through the NSA security guide, hardened the OS, DELETED (not just disabled) the guest account, etc.
In which case, most of the k1dd13 hacks won't affect you...
What is all this puffery for netBSD on the Dreamcast? Do you know they don't even use the GPL??!!!
See the url above if you wish to purify yourself.
Changing the appearance of your machine might irritate people and *might* discourage them to try further closer looks at this machine.
So: What would your facourite OS of choice to pretend be and why aren't you using it anyway?
Well I'm strongly against security through obscurity as a security infrastructure. However, as long as you have a solid, proven security infrastructure protecting your enviornment then adding a bit of obscurity over the top as an added layer can only be benefitial.
Yes, except you are implementing this security by fucking with your tcp/ip stack. In other words, you are taking the 'solid, proven security infrastructure' and stirring it up a bit. It is no longer proven to be solid so this bit of obscurity could have cost you some real security. Personally this is not a patch I'd go applying to production machines.
dan.
I wonder how clever this deception is? It's easy enough to grab the version advertisement, but more difficult to make your system respond the same way as another OS, especially if that other OS is 'broken' in regard to TCP/IP. The question is whether you want to mimic the 'bug for bug' behaviour...
There are some who disable ICMP response because it could help to show that a machine is active. Well, that's the canonical reason. But you can also use ICMP to (very slowly) move data, so at least in a far-fetched scenario it could be used a vector for attack.
Say someone wants to attack your server. NMAP shows the OS as Windows NT. However, attaching to port 80 shows an Apache version string that has been released with RedHat. The casual cracker may have been deterred by the OS advertisement, but anyone else would not have. If your defense depends to a large part on version obfuscation then you don't have a defense, simply put.
So you could grep through all the sources for version strings of all your internet exposed services, but that won't gain anything. Does version obfuscation hurt? Probably not. Neither does changing your user-agent string in the browser, except that fewer non-IE browsers will be tallied. For this reason alone I don't change my user-agent string, nor do I change my OS signatures (though I know how to).
i am going to make mine resemble that webserver in a house fly we saw last week
honeyd is able to do this already for quite a long time. With honeyd you can basically create "virtual hosts", running on another computer, with their own IP address, their own IP personality (it comes with a large database of them), and their own services (basically, every inetd-capable program can be used as server with it). You can even create a "virtual network" of them, with configurable routes, latency and packet loss. Indistinguishable from real computers and networks.
A monkey is doing the real work for me.
the ip_personality patch available on other posted comments here has done it years before. the links to the nmap site are old too. never seen the pdf story but I guess it's nothing new too.
glad to see the ip_personality patch getting more publicity because
a) needs to be more hard mantained
b) eventually become a kernel driver
BTW, some version of BSD has this as well already on its kernel.
Keep going and soon you'll have an empty route table. Do you drop just the IP or the class C or the entire netblock?
Unless it is an all out attack, I just report it to the netblock owner. Most of the time (almost always) the report goes ignored and unanswered.
No sig
He telneted to port 22, the ssh port. He used telnet so you could see the informational banner.
The issue file has nothing to do with the ssh banner that appears if you telnet to port 22. That banner normally doesn't appear if you use ssh, but telnet will show it. The issue file is shown later...
I was one of the instructors in the war games lab. To make things interesting for the students, I distributed nmap with a modified nmap-os-fingerprints file. Windows 2000 machines were reported as Solaris 2.6 (X86) and so forth. Some of the student responses were interesting.
I want to drag this out as long as possible. Bring me my protractor.
This is cool and all, but these days worms and virii select victims at random so your fingerprint won't make a damn bit of difference, except you might think you are a bit safer but you are not.
Silly Rabbit: tricks are for kids.
I read this article a few days ago and bookmarked most of the links I thought valueable. If anyone else is interested add some more to this thread so I can grab them :)
a rticle.txt
Exported bookmarks Fingerprint
blackhole(4) - a sysctl(8) MIB for manipulating TCP
Help Net Security OS-FngrPrint article in PDF
Honeyd - Network Rhapsody for You
http://ojnk.sourceforge.net/stuff/iplog.readme
http://www.insecure.org/nmap/nmap-fingerprinting-
IP Personality - Home
Kernel Options
p0f file listing
PhoneBoys FireWall-1 FAQs: Blocking queSO packets
s0ftpr0ject 2000 Fingerprint Fucker
Security Technologies
SourceForge.net: Project Info - SING
Sys-Security.com - Because Security is not Trivial
USENIX Technical Program - Abstract - Security Symposium - 2000
-- "of course thats just my opinion, I could be wrong." --Dennis Miller
I said quite clearly that I could not get to the linked article:
(Unfortunately I can't get to the linked story at the moment to confirm this.)
Was that too cryptic?
I want to drag this out as long as possible. Bring me my protractor.
The first thing I do when setting up a redhat box is remove the login banner that says "I'm Red Hat version x.x.x".
The first thing I do when setting up _any_ *nix box is to ensure that you CAN'T telnet to it, period!!!!
Use only sshd.
Portsentry's main failing is that it waits until a packet has got into userspace before anything happens about it, and even then it only operates on an opt-in kind of way - like you've got to be looking out for scans on specific ports, or whatever.
The alternative, and to me far more sensible, approach, is to drop all packets that aren't something you want, in a firewall, up ahead. If someone treats you to a multi-port scan, well, it appears in the logs. If someone scans you on a port on which you're listening, well, the reason you're running a front-facing service is because it's pretty well tightened instead, right?
Retro-active and dicey doesn't appeal to me.
~Tim
--
Rushing on down to the circle of the turn
Is a commodore64, and it feels good baby!
Well, what other purpose would this serve other than convincing people that your server is a Com64. I sure as hell don't know a better reason
YOU SUCK BALLS!
So...the dream is done, or you agree with the previous poster, who suggested the original poster was a troll.
The previous poster (me) used a well known technique for avoiding a -1: that is, to accuse the parent poster of being a troll or flamebaiter, then making a sarcastic comment in support of said parent.
That being said, there are lots of sites which suggest that America is less than "American" when dealing with countries and people outside its borders. In fact, some of those sites are even right! It's hard to gauge which are truthful, as they don't get much media attention. History has shown that the government has been more than ready and willing to lie to us to gain support for war. Myself, I don't trust anything that this current administration is doing in the name of "The War on Terror" as I believe that they're more interested in the lucrative rebuilding contracts for their friends (Halliburton, et al), the TAP pipeline that "we wouldn't support," and, of course, unsullying the family name (my daddy may not have kicked your ass, but I will!)
Sure, some of it's crap, maybe. But there's crap on both sides, mostly on the right of the aisle. The idiots that believe (or just claim, ala Bush) that anything approaching democracy is going to happen are fooling themselves. If we really wanted democracy, why did we assure Turkey that we would not support the Kurds' desire for self-government? Why didn't El Presidente Bush-o approve funding for the rebuilding of Afghanistan? Just look at what's going on inside many of our Middle East allies' countries. Torture, stonings, rape, more torture, a ruling class of less than 1% of the population with more than 90% of the wealth (oh, wait, that looks familiar).
Anyway, who cares, we're being dragged into war, no matter what. If they have to lock up dissenters as enemy combatants, they'll cross out the appropriate Amendment when they come to it!
As for the paper, I found it interesting and amusing enough to announce to the nmap-hackers. I'm all for doing this to your personal machines for entertainment and experimental value, but would almost never recommend it as a serious security hardening technique. Your time is almost always better spent working on fundamental security improvements such as applying patches, tightening firewalls, installing IDS systems, removing unnecessary services and setuid binaries, auditing system logs, etc. And sometimes this type of spoofing can actually increase security risk. Nmap expects many modern UNIX operating systems to offer nearly-unpredictable generation of TCP initial sequence numbers and the IP ID field. Crippling the generators to appear as a printer can make you vulnerable to TCP connection spoofing and a plethora of vulnerabilities related to the new Nmap Idle Scan technique.
And remember that many or most worms and script kiddies simply spew their exploit code to every listening server rather than bothering with fingerprints. All the attempted IIS exploits in my Apache log are testament to that! And if you attract a more competent attacker, you probably won't fool them for long anyway.
-Fyodor
Concerned about your network security? Try the free Nmap Security Scanner
So ractically speaking, 99.999% mundane risks (kiddies, scripts, worms) out there do minimal OS detection, and pretty much shoot attacks at random IP's. Those that do some form of detection before trying to attack certainly aren't using NMAP to scan (server version detection is far more common, and is not limited to version strings.
For my money the time spent on stack-signature obfuscation would be far better invested in actual security measures (e.g. staying up to date on patches, implementing defense-in-depth or deploying hardened OS's.
Sure, if you're going to put your servers behind a load ballancer, packet filter or proxy, then you may well get a measure of obfuscation for free, but if the security implementation on the screened systems is no good you're going to get rooted anyway.
Linux is Linux, if One need clarify their dist: <Dist>/GNU Linux
bsds are of course just BSD
Nuff said! 4k memory, 2k addressable.
If you use NetCraft to see what Iowa State is running, it says they are using /bin/sh as their webserver. Here are the results.
Is this related? How do they do that? It must be a joke.
Say I make my network appear to consist of windows 2000 servers, could the BSA use this fingerprinting to force an auidit on my company?
w1324123
12132132
123123
Please stop comfusing NetCraft with port scanners.
Nmap is a port scanner, it scans ports. Every tcp packet contains a fingerprint. That fingerprint can be analysed to give the os.
NetCraft uses a http server scanner. It only scans port 80 for a http server and analyses its results
That means:
a) These are Two Completely different things
b) It's much easier to fool NetCraft than nmap
The systems described in the paper such as IP Personality and Honeyd (my favorite), work by watching for the exact probes as described in my fingerprinting paper and then responding as detailed in the Nmap OS DB. But what about all the other TCP/IP techniques for fingerprinting a system? Later this year, I hope to add about half a dozen, including selective ACKs, TTL-normal-reply, and TTL-RST-Echo. Once these are implemented, spoofed systems will appear as a Dreamcast (or whatever) using the old techniques and will be exposed as their real OS via the new techniques. So Nmap could offer fingerprints like "Linux 2.4 pretending to be a Laserwriter". And attackers could even scan the 'Net looking for spoofed boxes -- lets hope the spoofing modules/programs don't open any security holes of their own!
Of course, the spoofers will then update their software to recognize the new fingerprinting technique and the cycle begins anew. Ah well. I enjoyed Berrueta's paper, by the way.
-Fyodor
Concerned about your network security? Try the free Nmap Security Scanner
Some people have said that OS detection is only used for exploiting things. I don't know about other people, but I at least use it as a simple measure of intelligence. XP being lowest, other Windows next lowest, Mac and OSX somewhere in the middle, and everything else a bit higher. Of course, with everyone switching to Linux, including the less intelligent people (this is what Lindows is for), I might have to stop making these assumptions...
Luke-Jr
Anything that makes a laughingstock of that criminal fyodor is progress in my book.
Hey do you still have the screencaps you took when you hacked sdem's box, after he convinced you that he was a she? That was funny.
- Severe Vomiting
- Permanent blindness
- Headache
- Sore throat
- Genital Herpes
- Insanity
It's really that bad. You might want to look into ispell or setting up whatever word processor you puked this crap into to check your spelling. After that, go to the local elementary school and find a third grader to proofread your grammer. If you want to be taken seriously you have to proofread the things you "publish" even it if is only the web.For a while now, Netcraft has reported Wal-Mart as running IIS 5.0 on Linux or Solaris :) See for yourself
political_news.c: warning: comparison is always true due to limited range of data type
Thanks for all you've done for network security over the last few years - us poor mortals have to rely on proper smart guys like you for the real work.
This is no bull - you have done as much for network security as anyone that has ever written a firewall, and more than most.
I say again - respect! and big ups to Fyodor!!!!!
oh brave new world, that has such people in it!
Those things had real power. Somewhere I might still have mine.
if I can get this page to load, then I'll read to see if I can change it to that.
or perhaps a loaf of nutbread.
There are some odd things afoot now, in the Villa Straylight.
You can find a mirror of the paper here.
www.si20.com/nmap.php
Ace
You should only ever have a single port on any machine open to the net, and unless it's a publicly accessible web/ftp server, you should have it acl'd off to known ip blocks.
iirc, nmap requires 2 open ports to do a fingerprint. If you have just 1 open, then it won't work.
I guess I wasn't clear on whay I'd meant. Sure the telnet protocol is plenty useful for lots of things, but the telnetd daemon (and the classic ftpd) is a rooting just waiting to happen. This day and age, you just cannot trust running any listening protocol that authenticates usernames and passwords as clear text in the packets/datagrams. The likelihood of somebody eavesdropping on the "conversation" is just too great anymore.
Hmmm... if so, the Subj creatures could really
'help' their employers show that they're doing
the right thing, by setting things up so as to
bring in the lawyers, every once in a while -
expecially in a totally Windows 2000 free shop
I grabbed it, at a miserable 81 BYTES per second!
and posted it here:
PDF Mirror
That should be a lot faster.
Dont fucking start talking about treason. Your the type of stupid fuck who would actually support shit like the patriot act.
loyalty to the county always,
lotalty to the goverment only when it deserves it
I wonder if this will lead to new/random exploits?
Hmmm
[abc@localhost abc]$ telnet Myhost.testbox 22
Trying Myhost.testbox...
Connected to Myhost.testbox
Escape character is '^]'.
SSH-2.0-Sinclair ZX_81 OS v.1
Yeah, it seems like it works, but if he got slashdotted so quickly, how do we know that his website really *isn't* running on a timex watch ? As for me, I'm pretty skeptical. There are limits to what is possible, here...
Nah, my dropped routes are only temporary, I clean out
I only drop the IP itself.
Reporting it is futile in my experience. The attacker almost never uses their own IP.
The hieroglyphics are all unreadable except for a notation on the back,
which reads "Genuine authentic Egyptian papyrus. Guaranteed to be at
least 5000 years old."
- this post brought to you by the Automated Last Post Generator...