Slashdot Mirror

← Back to Stories (view on slashdot.org)

Fooling NMAP for Whatever Reason

Posted by CmdrTaco on from the well-now-isn't-that-fun dept.

taviso writes "Are you bored with your OS fingerprint? Do you dream of being able to impress your friends by convincing them your webserver is running on a sega dreamcast, or Apple LaserWriter? Well Dream no more! David Berrueta has written a paper oulining the techniques and tools available to defeat nmap's OS fingerprinting, available here [pdf]. Besides the hours of entertainment this could provide, he also lists some of the more serious reasons why you might want to consider this."

8 of 192 comments (clear)

  1. Already common practice by presroi · · Score: 4, Insightful

    Many servers hosting the web site of the US armed forces don't seem to be running the OS they are claiming to run. However, this *could* also be the result of some sort of load balancing.

  2. This is good by garett_spencley · · Score: 5, Insightful

    Well I'm strongly against security through obscurity as a security infrastructure. However, as long as you have a solid, proven security infrastructure protecting your enviornment then adding a bit of obscurity over the top as an added layer can only be benefitial.

    If I know that I've done everything to protect my x86 Linux box from an attack if the attacker already knows it's an x86 Linux box, what distro it's running, has access to my network (assuming the attacker is an employee) etc. then why not make it so that script kiddies will think it's a commodore 64 and will try and exploit it as so?

    Though security through obscurity is not a good idea as the only form of protection, it can add another blanket of support and I'm all for that as long as you understand what you're doing and why.

    1. Re:This is good by Mononoke · · Score: 3, Insightful
      then why not make it so that script kiddies will think it's a commodore 64 and will try and exploit it as so?
      What happens when we inadvertantly give M$ 98.2% of the 'known' server market? ^_^
      --
      NetInfo connection failed for server 127.0.0.1/local
    2. Re:This is good by mosch · · Score: 4, Insightful
      why not make it so that script kiddies will think it's a commodore 64 and will try and exploit it as so?
      because script kiddies don't bother with fingerprinting, most of the time. they just run an attack and see if it happens to work. for proof of this, look at your apache logs.
  3. Re:IIS ftp by Orestesx · · Score: 3, Insightful

    Imagine the reverse: If you're running a unix/Linux server, and you disguised to look like a windows server, then it would be harder to crack because the cracker would use the wrong techniques. It doesn't really matter that unix/linux is perceived as more secure.

  4. I see no reason to NOT do this by fudgefactor7 · · Score: 4, Insightful

    Any level of additional security, brought about by "lying" or "fooling" is a great thing. After all, nobody needs to know your OS except you. But my opinion is that people should keep their faked responses within the realm of reason. No Sega Dreamcasts, no TI calculators, no Epson Dot Matrix LQ-2170 printers... If you lie, it must be a believable lie or it will be transparently obvious and the h4x0r will figure it out instantly. And that's not a security boon at all.

  5. Re:This is good (maybe not) by dan+g · · Score: 4, Insightful

    Well I'm strongly against security through obscurity as a security infrastructure. However, as long as you have a solid, proven security infrastructure protecting your enviornment then adding a bit of obscurity over the top as an added layer can only be benefitial.

    Yes, except you are implementing this security by fucking with your tcp/ip stack. In other words, you are taking the 'solid, proven security infrastructure' and stirring it up a bit. It is no longer proven to be solid so this bit of obscurity could have cost you some real security. Personally this is not a patch I'd go applying to production machines.

    dan.

  6. Yes, you sure can! by fv · · Score: 5, Insightful
    Indeed, my site is just listed in passing, yet my web traffic suddenly tripled .

    As for the paper, I found it interesting and amusing enough to announce to the nmap-hackers. I'm all for doing this to your personal machines for entertainment and experimental value, but would almost never recommend it as a serious security hardening technique. Your time is almost always better spent working on fundamental security improvements such as applying patches, tightening firewalls, installing IDS systems, removing unnecessary services and setuid binaries, auditing system logs, etc. And sometimes this type of spoofing can actually increase security risk. Nmap expects many modern UNIX operating systems to offer nearly-unpredictable generation of TCP initial sequence numbers and the IP ID field. Crippling the generators to appear as a printer can make you vulnerable to TCP connection spoofing and a plethora of vulnerabilities related to the new Nmap Idle Scan technique.

    And remember that many or most worms and script kiddies simply spew their exploit code to every listening server rather than bothering with fingerprints. All the attempted IIS exploits in my Apache log are testament to that! And if you attract a more competent attacker, you probably won't fool them for long anyway.

    -Fyodor
    Concerned about your network security? Try the free Nmap Security Scanner