Slashdot Mirror

← Back to Stories (view on slashdot.org)

Fooling NMAP for Whatever Reason

Posted by CmdrTaco on from the well-now-isn't-that-fun dept.

taviso writes "Are you bored with your OS fingerprint? Do you dream of being able to impress your friends by convincing them your webserver is running on a sega dreamcast, or Apple LaserWriter? Well Dream no more! David Berrueta has written a paper oulining the techniques and tools available to defeat nmap's OS fingerprinting, available here [pdf]. Besides the hours of entertainment this could provide, he also lists some of the more serious reasons why you might want to consider this."

9 of 192 comments (clear)

  1. That would be very amusing... by analog_line · · Score: 3, Interesting

    ...to see the first time some hacker scans my network to see that every server is running off a Dreamcast. Wouldn't that be funny if that became the secure standard? Every TCP/IP fingerprint returns "Sega Dreamcast". Wouldn't be a huge security boost, but it would help slow down the process of choosing a system to try and break. And the stupid kids who think they're hackers would probably just move on.

  2. Dogfood by arvindn · · Score: 3, Interesting

    A lot of sites have to eat their own dogfood, like hotmail. Now they needn't any longer. If they can change their fingerprint, they can run linux and make it look like they're running NT. (They used to run FreeBSD earlier.)

  3. Re:This is good by OneEyedApe · · Score: 2, Interesting

    They might compare sales to server stats, and decide that piracy is running rampant. With their kind of money, this could be a bad thing.

    --
    Life sucks, but death doesn't put out at all....
    --Thomas J. Kopp
  4. This is not really new... by sczimme · · Score: 1, Interesting


    I believe IP Personality was there first.

    (Unfortunately I can't get to the linked story at the moment to confirm this.)

    --
    I want to drag this out as long as possible. Bring me my protractor.
  5. How much does it gain? by Anonymous Coward · · Score: 4, Interesting

    I wonder how clever this deception is? It's easy enough to grab the version advertisement, but more difficult to make your system respond the same way as another OS, especially if that other OS is 'broken' in regard to TCP/IP. The question is whether you want to mimic the 'bug for bug' behaviour...

    There are some who disable ICMP response because it could help to show that a machine is active. Well, that's the canonical reason. But you can also use ICMP to (very slowly) move data, so at least in a far-fetched scenario it could be used a vector for attack.

    Say someone wants to attack your server. NMAP shows the OS as Windows NT. However, attaching to port 80 shows an Apache version string that has been released with RedHat. The casual cracker may have been deterred by the OS advertisement, but anyone else would not have. If your defense depends to a large part on version obfuscation then you don't have a defense, simply put.

    So you could grep through all the sources for version strings of all your internet exposed services, but that won't gain anything. Does version obfuscation hurt? Probably not. Neither does changing your user-agent string in the browser, except that fewer non-IE browsers will be tallied. For this reason alone I don't change my user-agent string, nor do I change my OS signatures (though I know how to).

  6. Last year at InfowarCon... by sczimme · · Score: 4, Interesting


    I was one of the instructors in the war games lab. To make things interesting for the students, I distributed nmap with a modified nmap-os-fingerprints file. Windows 2000 machines were reported as Solaris 2.6 (X86) and so forth. Some of the student responses were interesting. :-)

    --
    I want to drag this out as long as possible. Bring me my protractor.
  7. Re:IIS ftp by Jeremy+Erwin · · Score: 2, Interesting

    Those statistics are both obsolete:

    These numbers are dated; the collection and calculation of data stopped in early August 2001 due to a site migration issue. We are currently working on this issue and should have it resolved in the near future.
    and misleading:

    There is a distinct difference in the way that vulnerabilities are counted for Microsoft Windows and other operating systems. For instance, applications for Linux and BSD are often grouped in as subcomponents with the operating systems that they are shipped with. For Windows, applications and subcomponents such as Explorer often have their own packages that are considered vulnerable or not vulnerable outside of Windows and therefore may not be included in the count. This may skew numbers.

  8. Is this how iastate.edu does it? by aaron240 · · Score: 2, Interesting

    If you use NetCraft to see what Iowa State is running, it says they are using /bin/sh as their webserver. Here are the results.

    Is this related? How do they do that? It must be a joke.

  9. Nmap's revenge by fv · · Score: 5, Interesting

    The systems described in the paper such as IP Personality and Honeyd (my favorite), work by watching for the exact probes as described in my fingerprinting paper and then responding as detailed in the Nmap OS DB. But what about all the other TCP/IP techniques for fingerprinting a system? Later this year, I hope to add about half a dozen, including selective ACKs, TTL-normal-reply, and TTL-RST-Echo. Once these are implemented, spoofed systems will appear as a Dreamcast (or whatever) using the old techniques and will be exposed as their real OS via the new techniques. So Nmap could offer fingerprints like "Linux 2.4 pretending to be a Laserwriter". And attackers could even scan the 'Net looking for spoofed boxes -- lets hope the spoofing modules/programs don't open any security holes of their own!

    Of course, the spoofers will then update their software to recognize the new fingerprinting technique and the cycle begins anew. Ah well. I enjoyed Berrueta's paper, by the way.

    -Fyodor
    Concerned about your network security? Try the free Nmap Security Scanner