Slashdot Mirror

← Back to Stories (view on slashdot.org)

Fooling NMAP for Whatever Reason

Posted by CmdrTaco on from the well-now-isn't-that-fun dept.

taviso writes "Are you bored with your OS fingerprint? Do you dream of being able to impress your friends by convincing them your webserver is running on a sega dreamcast, or Apple LaserWriter? Well Dream no more! David Berrueta has written a paper oulining the techniques and tools available to defeat nmap's OS fingerprinting, available here [pdf]. Besides the hours of entertainment this could provide, he also lists some of the more serious reasons why you might want to consider this."

5 of 192 comments (clear)

  1. Cool :) by rf0 · · Score: 4, Informative

    I've seriouly been looking for this for my home box. Of course its only part of the way of hiding the real OS your running. One part of eunermation is to look at the banners that network servers show. For example telneting to my home box

    [rghf@localhost rghf]$ telnet foo.wibble 22
    Trying foo.wibble...
    Connected to foo.wibble
    Escape character is '^]'.
    SSH-2.0-OpenSSH_3.4p1 Debian 1:3.4p1-1

    Shows I'm running debian (or am I? :). So changing these as well could give those l33t script kiddies some fun :)

    Rus

    --
    Cheap UK and US VPS
  2. PDF MIRROR HERE by scubacuda · · Score: 5, Informative
    I googled and found a mirror PDF site.

    (But not before I d/led it to my local machine first!)

  3. IP personality.. by RatOfTheLab · · Score: 5, Informative

    Someone thought about OS fingerprint obfuscating a while ago... http://ippersonality.sourceforge.net/

  4. Sometimes deliberate, sometimes not. by radon28 · · Score: 4, Informative

    From the Netcraft FAQ:

    Why do you report impossible operating system/server combinations ?

    Webservers that operate behind a caching system, load balancer, reverse proxy server or a firewall may sometimes report the operating system of the intermediate machine. Hence reports of 'Microsoft/IIS on Linux' may indicate that either the web server is behind a Linux server that is acting as a reverse proxy, or has configured the Akamai caching system such that the first request to the site goes to one of Akamai's servers [which run Linux], or as in the case of www.walmart.com has been configured to send a misleading signature.

  5. honeyd does this already by quigonn · · Score: 5, Informative

    honeyd is able to do this already for quite a long time. With honeyd you can basically create "virtual hosts", running on another computer, with their own IP address, their own IP personality (it comes with a large database of them), and their own services (basically, every inetd-capable program can be used as server with it). You can even create a "virtual network" of them, with configurable routes, latency and packet loss. Indistinguishable from real computers and networks.

    --
    A monkey is doing the real work for me.