Slashdot Mirror

← Back to Stories (view on slashdot.org)

Fooling NMAP for Whatever Reason

Posted by CmdrTaco on from the well-now-isn't-that-fun dept.

taviso writes "Are you bored with your OS fingerprint? Do you dream of being able to impress your friends by convincing them your webserver is running on a sega dreamcast, or Apple LaserWriter? Well Dream no more! David Berrueta has written a paper oulining the techniques and tools available to defeat nmap's OS fingerprinting, available here [pdf]. Besides the hours of entertainment this could provide, he also lists some of the more serious reasons why you might want to consider this."

16 of 192 comments (clear)

  1. Already common practice by presroi · · Score: 4, Insightful

    Many servers hosting the web site of the US armed forces don't seem to be running the OS they are claiming to run. However, this *could* also be the result of some sort of load balancing.

  2. This is good by garett_spencley · · Score: 5, Insightful

    Well I'm strongly against security through obscurity as a security infrastructure. However, as long as you have a solid, proven security infrastructure protecting your enviornment then adding a bit of obscurity over the top as an added layer can only be benefitial.

    If I know that I've done everything to protect my x86 Linux box from an attack if the attacker already knows it's an x86 Linux box, what distro it's running, has access to my network (assuming the attacker is an employee) etc. then why not make it so that script kiddies will think it's a commodore 64 and will try and exploit it as so?

    Though security through obscurity is not a good idea as the only form of protection, it can add another blanket of support and I'm all for that as long as you understand what you're doing and why.

    1. Re:This is good by Mononoke · · Score: 3, Insightful
      then why not make it so that script kiddies will think it's a commodore 64 and will try and exploit it as so?
      What happens when we inadvertantly give M$ 98.2% of the 'known' server market? ^_^
      --
      NetInfo connection failed for server 127.0.0.1/local
    2. Re:This is good by mosch · · Score: 4, Insightful
      why not make it so that script kiddies will think it's a commodore 64 and will try and exploit it as so?
      because script kiddies don't bother with fingerprinting, most of the time. they just run an attack and see if it happens to work. for proof of this, look at your apache logs.
    3. Re:This is good by jrumney · · Score: 2, Insightful
      Given the scarcity of kiddie scripts exploiting the Commodore 64, if you really want to waste some script kiddies' time you might want to go for a Windows box with IIS as your fake fingerprint.

      While you're at it, using the same technique to bait CodeRed and Slapper worms and hold them on your server for as long as possible might slow them down a bit too (if enough people were doing it). Unfortunately the Slapper variant that is still around has a 15 second timeout, but I've heard of tarpits keeping CodeRed/Nimda worms busy for up to four days.

  3. Netcraft by arvindn · · Score: 2, Insightful

    The folks at netcraft use these kinds of techniques for getting their server stats. Modifying the TCP/IP stack will screw up their stats collection :(

  4. Re:why emulate the IP stack by analog_line · · Score: 2, Insightful

    Because someone using TCP/IP fingerprinting is looking for interesting hosts to attack, for whatever reason.

    Something they've never seen before is interesting, and the would be hacker would likely pry a bit deeper. Giving them false information either makes them disinterested ("some idiot put up a Dreamcast on the web, how stupid") or leads them to attack in a way you are expecting, and that you know will be ineffective. Watching for these known false attacks could act as some part of an early warning alarm system, holding the attacker with his interest long enough to track him down. Ala, the Cuckoo's Egg.

  5. Re:IIS ftp by Orestesx · · Score: 3, Insightful

    Imagine the reverse: If you're running a unix/Linux server, and you disguised to look like a windows server, then it would be harder to crack because the cracker would use the wrong techniques. It doesn't really matter that unix/linux is perceived as more secure.

  6. I see no reason to NOT do this by fudgefactor7 · · Score: 4, Insightful

    Any level of additional security, brought about by "lying" or "fooling" is a great thing. After all, nobody needs to know your OS except you. But my opinion is that people should keep their faked responses within the realm of reason. No Sega Dreamcasts, no TI calculators, no Epson Dot Matrix LQ-2170 printers... If you lie, it must be a believable lie or it will be transparently obvious and the h4x0r will figure it out instantly. And that's not a security boon at all.

  7. Re:This is good (maybe not) by dan+g · · Score: 4, Insightful

    Well I'm strongly against security through obscurity as a security infrastructure. However, as long as you have a solid, proven security infrastructure protecting your enviornment then adding a bit of obscurity over the top as an added layer can only be benefitial.

    Yes, except you are implementing this security by fucking with your tcp/ip stack. In other words, you are taking the 'solid, proven security infrastructure' and stirring it up a bit. It is no longer proven to be solid so this bit of obscurity could have cost you some real security. Personally this is not a patch I'd go applying to production machines.

    dan.

  8. Re:That would be very amusing... by Anonymous Coward · · Score: 1, Insightful

    Not necessarily. The "stupid kids who think they're hackers" (also called script-kiddies), tend to scan large network blocks looking for hosts that are vulnerable to specific exploits. They don't care, nor do they even likely use OS fingerprinting techniques.

  9. Re:no need.. portsentry? by secolactico · · Score: 2, Insightful

    Keep going and soon you'll have an empty route table. Do you drop just the IP or the class C or the entire netblock?

    Unless it is an all out attack, I just report it to the netblock owner. Most of the time (almost always) the report goes ignored and unanswered.

    --
    No sig
  10. Yes, you sure can! by fv · · Score: 5, Insightful
    Indeed, my site is just listed in passing, yet my web traffic suddenly tripled .

    As for the paper, I found it interesting and amusing enough to announce to the nmap-hackers. I'm all for doing this to your personal machines for entertainment and experimental value, but would almost never recommend it as a serious security hardening technique. Your time is almost always better spent working on fundamental security improvements such as applying patches, tightening firewalls, installing IDS systems, removing unnecessary services and setuid binaries, auditing system logs, etc. And sometimes this type of spoofing can actually increase security risk. Nmap expects many modern UNIX operating systems to offer nearly-unpredictable generation of TCP initial sequence numbers and the IP ID field. Crippling the generators to appear as a printer can make you vulnerable to TCP connection spoofing and a plethora of vulnerabilities related to the new Nmap Idle Scan technique.

    And remember that many or most worms and script kiddies simply spew their exploit code to every listening server rather than bothering with fingerprints. All the attempted IIS exploits in my Apache log are testament to that! And if you attract a more competent attacker, you probably won't fool them for long anyway.

    -Fyodor
    Concerned about your network security? Try the free Nmap Security Scanner

  11. All very well and good. by fw3 · · Score: 2, Insightful
    I can't get all that excited about this. Looking at an open, internet connected site, no firewalls and about 4 hosts I've recorded roughly 1 million snort detects spanning 1.5 years of on&off operation I count about 35 total external nmap scans from only 9 unique IP #s. Only a couple of those then tried to follow up with some attack traffic and one was either a very confused kiddie trying to hit a unix box with netbios-ns.

    So ractically speaking, 99.999% mundane risks (kiddies, scripts, worms) out there do minimal OS detection, and pretty much shoot attacks at random IP's. Those that do some form of detection before trying to attack certainly aren't using NMAP to scan (server version detection is far more common, and is not limited to version strings.

    For my money the time spent on stack-signature obfuscation would be far better invested in actual security measures (e.g. staying up to date on patches, implementing defense-in-depth or deploying hardened OS's.

    Sure, if you're going to put your servers behind a load ballancer, packet filter or proxy, then you may well get a measure of obfuscation for free, but if the security implementation on the screened systems is no good you're going to get rooted anyway.

    --
    Linux is Linux, if One need clarify their dist: <Dist>/GNU Linux
    bsds are of course just BSD
  12. Re:not so cool by a_n_d_e_r_s · · Score: 2, Insightful


    I can always telnet to a UNIX box - regardless if you remove telnetd or not.

    It just that I have to use another port :-)

    I've sent email and surfed the web using telnet !

    Telnet us very usefull to debug a port with a text protocol...

    However it's not a secure way to log in to a box!

    --
    Just saying it like it are.
  13. Wal-Mart does it by tulare · · Score: 2, Insightful

    For a while now, Netcraft has reported Wal-Mart as running IIS 5.0 on Linux or Solaris :) See for yourself

    --
    political_news.c: warning: comparison is always true due to limited range of data type