Slashdot Mirror

← Back to Stories (view on slashdot.org)

Fooling NMAP for Whatever Reason

Posted by CmdrTaco on from the well-now-isn't-that-fun dept.

taviso writes "Are you bored with your OS fingerprint? Do you dream of being able to impress your friends by convincing them your webserver is running on a sega dreamcast, or Apple LaserWriter? Well Dream no more! David Berrueta has written a paper oulining the techniques and tools available to defeat nmap's OS fingerprinting, available here [pdf]. Besides the hours of entertainment this could provide, he also lists some of the more serious reasons why you might want to consider this."

15 of 192 comments (clear)

  1. Cool :) by rf0 · · Score: 4, Informative

    I've seriouly been looking for this for my home box. Of course its only part of the way of hiding the real OS your running. One part of eunermation is to look at the banners that network servers show. For example telneting to my home box

    [rghf@localhost rghf]$ telnet foo.wibble 22
    Trying foo.wibble...
    Connected to foo.wibble
    Escape character is '^]'.
    SSH-2.0-OpenSSH_3.4p1 Debian 1:3.4p1-1

    Shows I'm running debian (or am I? :). So changing these as well could give those l33t script kiddies some fun :)

    Rus

    --
    Cheap UK and US VPS
  2. PDF MIRROR HERE by scubacuda · · Score: 5, Informative
    I googled and found a mirror PDF site.

    (But not before I d/led it to my local machine first!)

  3. IP personality.. by RatOfTheLab · · Score: 5, Informative

    Someone thought about OS fingerprint obfuscating a while ago... http://ippersonality.sourceforge.net/

  4. reminds me of... by jeffy124 · · Score: 2, Informative

    ... a story i heard a while back regarding script kiddies.

    some researchers set up a unix server, went into a script kiddies irc channel and said they found this wide open windows box, saying it contained credit card numbers or something like that, giving the ip of their honeypot.

    not one kiddie tried a unix sploit on the box, 100% of the attempts were exploits designed for windows.

    so for fooling nmap, if you're a security admin, set up your windows boxen with unix fingerprints and vice/versa, and you'll at least avoid getting r00ted by most script kiddies. just continue to be aware of the dedicated cracker whose above the ranks of kiddies.

    --
    The One Rule Of Chess You'll Ever Need: Don't play someone who carries a kit in their bookbag.
  5. Very few actual portscans by Alioth · · Score: 3, Informative

    I've seen very few portscans against any of my internet connected boxes. The usual unsolicited connection attempts tend to be for well-known exploits (18 months ago, port 111 was *really* popular with several attempts a day). I'm not really sure whether it's worth the effort going out of your way to do things to change the OS fingerprint that nmap comes up with (even under good conditions, I've never found nmap's fingerprint particularly reliable or accurate anyway)

    --
    Oolite: Elite-like game. For Mac, Linux and Windows
    1. Re:Very few actual portscans by Anonymous Coward · · Score: 1, Informative

      Prediction: port 139 scanning is about to become a lot more popular.

      On a related note, if you're running Samba, go get 2.2.8. Don't wait until Slashdot posts it to the main page.

      Thank me later.

  6. Must not hide by Beliskner · · Score: 3, Informative
    Hiding your OS is something the corporations will not do. To maintain compliance with Micro$oft licence terms and the BSA they mnust periodically audit their systems to count the number of software installations using automated scanning software such as Centennial

    If their computers start lying about their OS and software installed then the BSA will invade them and stick 100 lawyers on their head before you can say "Nmap"

    --
    A caveman dreams of being us, the incalculable power and riches. We dream of being Q, then what?
  7. been done, in production by Permission+Denied · · Score: 3, Informative
    see here. This project is a couple of years old. I was considering writing it myself when I ran across that someone else has already done it.

    Takes a completely different approach to what I was thinking - I was thinking of doing it all in userspace. Run some daemon that uses libpcap and "responds" to certain ports like a real machine. Basically means a TCP stack in userspace, so it's not a trivial undertaking but still lots of fun. I was also thinking of making it use nmap's own configuration files so you can simply specify what OS you want it to look like and it looks up the params in the config file. Only disadvantage is that you want it to pass "real" packets in to the kernel for normal processing so this is only useful in limited situations (when you can firewall a machine off completely from the Internet and only need it to serve up something within your organization). I was also considering writing something that uses FreeBSD's divert sockets since you could integrate that nicely with your firewall, but it wouldn't be as portable as the other approach (which would work wherever pcap works).

    Anyway, this has been done. The paper seems slashdotted so I can't read it.

  8. Sometimes deliberate, sometimes not. by radon28 · · Score: 4, Informative

    From the Netcraft FAQ:

    Why do you report impossible operating system/server combinations ?

    Webservers that operate behind a caching system, load balancer, reverse proxy server or a firewall may sometimes report the operating system of the intermediate machine. Hence reports of 'Microsoft/IIS on Linux' may indicate that either the web server is behind a Linux server that is acting as a reverse proxy, or has configured the Akamai caching system such that the first request to the site goes to one of Akamai's servers [which run Linux], or as in the case of www.walmart.com has been configured to send a misleading signature.

  9. honeyd does this already by quigonn · · Score: 5, Informative

    honeyd is able to do this already for quite a long time. With honeyd you can basically create "virtual hosts", running on another computer, with their own IP address, their own IP personality (it comes with a large database of them), and their own services (basically, every inetd-capable program can be used as server with it). You can even create a "virtual network" of them, with configurable routes, latency and packet loss. Indistinguishable from real computers and networks.

    --
    A monkey is doing the real work for me.
  10. Re:This is not really new... by ak_hepcat · · Score: 2, Informative

    ObReadTheArticleFirst:

    "IP Personality
    The first and probably, best option is IP Personality. It'a netfilter module (then, only available for 2.4 linux kernels) that allows us to change the IP stack behaviour and 'personality', having multiple network personalities depending on parameters that you can specify as an iptables rule. "

    etc, etc, etc..

    --
    Support FSF: Stop thinking with your wallet, and think with your imagination. (cc/non-commercial)
  11. Ummm... by spanky1 · · Score: 2, Informative

    He telneted to port 22, the ssh port. He used telnet so you could see the informational banner.

  12. Hi by Pros_n_Cons · · Score: 2, Informative

    I read this article a few days ago and bookmarked most of the links I thought valueable. If anyone else is interested add some more to this thread so I can grab them :)

    Exported bookmarks Fingerprint
    blackhole(4) - a sysctl(8) MIB for manipulating TCP
    Help Net Security OS-FngrPrint article in PDF
    Honeyd - Network Rhapsody for You
    http://ojnk.sourceforge.net/stuff/iplog.readme
    http://www.insecure.org/nmap/nmap-fingerprinting-a rticle.txt
    IP Personality - Home
    Kernel Options
    p0f file listing
    PhoneBoys FireWall-1 FAQs: Blocking queSO packets
    s0ftpr0ject 2000 Fingerprint Fucker
    Security Technologies
    SourceForge.net: Project Info - SING
    Sys-Security.com - Because Security is not Trivial
    USENIX Technical Program - Abstract - Security Symposium - 2000

    --

    -- "of course thats just my opinion, I could be wrong." --Dennis Miller
  13. Please don't comfuse NetCraft with Port Scanners by Anonymous Coward · · Score: 1, Informative

    Please stop comfusing NetCraft with port scanners.

    Nmap is a port scanner, it scans ports. Every tcp packet contains a fingerprint. That fingerprint can be analysed to give the os.

    NetCraft uses a http server scanner. It only scans port 80 for a http server and analyses its results

    That means:

    a) These are Two Completely different things
    b) It's much easier to fool NetCraft than nmap

  14. Re:IIS ftp by Jeremy+Erwin · · Score: 2, Informative

    Even if we add an additional 10 vulns for 2000 and 2001, Win2000 still doesn't end up in first place.

    Adding "an additional ten vulnerabilities" would simply make the data even more meaningless than the authors of security focus already assert the data to be.

    "The numbers presented below should not be considered a metric by which an accurate comparison of the vulnerability of one operating system versus another can be made."

    But I'll play along:
    Windows NT/2000 10 8 78 97 42
    Debian 3 2 31 55 28

    Debian GNU/Linux has fewer incidents associated with it than does Windows NT/2000. I suppose the Windows NT aslo includes IIS, but that's fair since Apache, is, or would be reported under the Debian category. (Also, IIS is referenced in this thread's topic title--but I digress). Also, the sharp decrease in 2001 incident reports has a lot to do with the fact that staistics were only taken through August of that year.

    FYI, I don't use Linux (at present). I'm a MacOS X user.