Fooling NMAP for Whatever Reason

taviso writes "Are you bored with your OS fingerprint? Do you dream of being able to impress your friends by convincing them your webserver is running on a sega dreamcast, or Apple LaserWriter? Well Dream no more! David Berrueta has written a paper oulining the techniques and tools available to defeat nmap's OS fingerprinting, available here [pdf]. Besides the hours of entertainment this could provide, he also lists some of the more serious reasons why you might want to consider this."

Oh what fun

[snitty]

I could just see slashdot running on a Trash - 80. .

Re:Oh what fun

[worst_name_ever]

I could just see slashdot running on a Trash - 80.

As opposed to just the sites where the stories are hosted?

That would be very amusing...

[analog_line]

...to see the first time some hacker scans my network to see that every server is running off a Dreamcast. Wouldn't that be funny if that became the secure standard? Every TCP/IP fingerprint returns "Sega Dreamcast". Wouldn't be a huge security boost, but it would help slow down the process of choosing a system to try and break. And the stupid kids who think they're hackers would probably just move on.

Re:That would be very amusing...

[Feztaa]

Nah, Sega Dreamcast is *way* too suspicious. Hackers would be like "WTF? How is that possible?" and then they'd explore further.

What you'd really want to do is set the fingerprint to something like the old, unpatched Windows 95. Then the attackers will think "ROFL, dumbass admin running windoze! ATTACK!" and then your logs show some lame attack that might have worked on windows, but doesn't work on linux, and you get an early warning of any attacks that come your way :)

Already common practice

[presroi]

Many servers hosting the web site of the US armed forces don't seem to be running the OS they are claiming to run. However, this *could* also be the result of some sort of load balancing.

Cool :)

[rf0]

I've seriouly been looking for this for my home box. Of course its only part of the way of hiding the real OS your running. One part of eunermation is to look at the banners that network servers show. For example telneting to my home box

[rghf@localhost rghf]$ telnet foo.wibble 22
Trying foo.wibble...
Connected to foo.wibble
Escape character is '^]'.
SSH-2.0-OpenSSH_3.4p1 Debian 1:3.4p1-1

Shows I'm running debian (or am I? :). So changing these as well could give those l33t script kiddies some fun :)

Rus

Slashdotted

[joyoflinux]

Well, this proves that it doesn't matter what OS fingerprint you have, you can still get slashdotted...

PDF MIRROR HERE

[scubacuda]

I googled and found a mirror PDF site.

(But not before I d/led it to my local machine first!)

This is good

[garett_spencley]

Well I'm strongly against security through obscurity as a security infrastructure. However, as long as you have a solid, proven security infrastructure protecting your enviornment then adding a bit of obscurity over the top as an added layer can only be benefitial.

If I know that I've done everything to protect my x86 Linux box from an attack if the attacker already knows it's an x86 Linux box, what distro it's running, has access to my network (assuming the attacker is an employee) etc. then why not make it so that script kiddies will think it's a commodore 64 and will try and exploit it as so?

Though security through obscurity is not a good idea as the only form of protection, it can add another blanket of support and I'm all for that as long as you understand what you're doing and why.

Re:This is good

[Mononoke]

then why not make it so that script kiddies will think it's a commodore 64 and will try and exploit it as so?

What happens when we inadvertantly give M$ 98.2% of the 'known' server market? ^_^

Re:This is good

[mosch]

why not make it so that script kiddies will think it's a commodore 64 and will try and exploit it as so?

because script kiddies don't bother with fingerprinting, most of the time. they just run an attack and see if it happens to work. for proof of this, look at your apache logs.

Netcraft confirms

[RLiegh]

OS fingerprinting is dying!

(sorry. someone had to...)

Been there, done that...

[NetDanzr]

Well, not me personally. But what do you think Microsoft has been doing all the years? Considering how stable their site is (and taking into account the humongous crash when they tried to move Hotmail onto WinNT), I'm convinced that they've been running the whole MSN network on Unix-based servers, disguising them as Windows ;)

My FTP banner

[Phroggy]

phroggy@panther:~$ ftp ftp.webwizardry.net
Connected to webwizardry.net.
220 ftp.webwizardry.net Microsoft FTP Service (Version 5.0).
Name (ftp.webwizardry.net:phroggy):

Of course, it's actually ProFTPd on Slackware.

Re:My FTP banner

[ignorant_newbie]

heh :) way to hide your os - disguise your ftp banner, and then post the true OS on a website that no h4x0r ever reads

IIS ftp

[larry+bagina]

The Windows IIS FTP server has an option to spew MS-DOS style output or Unix style output.

Quoting from "Microsoft IIS 5 Administration" ) pp 52) ...

Although there are very sophisticated hackers who will attempt to break into your FTP sites through some very sophisticated means, you shouldn't make life any easier for them. Using the UNIX-style output can actually fend off some hackers because they cannot see the Microsoft FTP Service header at log on and see only the UNIX-style directory listing. This could make them believe they are using a UNIX/Linux server.

Longwinded way of saying Unix/Linux is percieved as being harder to crack. :)

Re:IIS ftp

[Orestesx]

Imagine the reverse: If you're running a unix/Linux server, and you disguised to look like a windows server, then it would be harder to crack because the cracker would use the wrong techniques. It doesn't really matter that unix/linux is perceived as more secure.

Dogfood

[arvindn]

A lot of sites have to eat their own dogfood, like hotmail. Now they needn't any longer. If they can change their fingerprint, they can run linux and make it look like they're running NT. (They used to run FreeBSD earlier.)

IP personality..

[RatOfTheLab]

Someone thought about OS fingerprint obfuscating a while ago... http://ippersonality.sourceforge.net/

Johny Cash Server

Yessiirreee,

I'm servin' mah HTTP files from this here ol' guitar and my FTP files from an empty bottle-a-booze.

And this post, yes HTTP_REFERER was from the ol' cadillac factory I once worked at; the one where I snagged my dancin' machine car one peice at a time over twenty or some number of years-*HICUP*

-SlashdotTroll (because slashdot don't like me, my karma is terrible, and at -1 they only let me post twice in 24hours from this ol' Folsom prison I'm stuck in.)

Very few actual portscans

[Alioth]

I've seen very few portscans against any of my internet connected boxes. The usual unsolicited connection attempts tend to be for well-known exploits (18 months ago, port 111 was *really* popular with several attempts a day). I'm not really sure whether it's worth the effort going out of your way to do things to change the OS fingerprint that nmap comes up with (even under good conditions, I've never found nmap's fingerprint particularly reliable or accurate anyway)

Must not hide

[Beliskner]

Hiding your OS is something the corporations will not do. To maintain compliance with Micro$oft licence terms and the BSA they mnust periodically audit their systems to count the number of software installations using automated scanning software such as Centennial

If their computers start lying about their OS and software installed then the BSA will invade them and stick 100 lawyers on their head before you can say "Nmap"

I see no reason to NOT do this

[fudgefactor7]

Any level of additional security, brought about by "lying" or "fooling" is a great thing. After all, nobody needs to know your OS except you. But my opinion is that people should keep their faked responses within the realm of reason. No Sega Dreamcasts, no TI calculators, no Epson Dot Matrix LQ-2170 printers... If you lie, it must be a believable lie or it will be transparently obvious and the h4x0r will figure it out instantly. And that's not a security boon at all.

Re:I see no reason to NOT do this

[huhmz]

Actually emulating a TI calculator will make the attacker think "well this guy obviously has the skill and have taken the time to emulate a silly calculator, better not screw with someone as l33t as him"

been done, in production

[Permission+Denied]

see here. This project is a couple of years old. I was considering writing it myself when I ran across that someone else has already done it.

Takes a completely different approach to what I was thinking - I was thinking of doing it all in userspace. Run some daemon that uses libpcap and "responds" to certain ports like a real machine. Basically means a TCP stack in userspace, so it's not a trivial undertaking but still lots of fun. I was also thinking of making it use nmap's own configuration files so you can simply specify what OS you want it to look like and it looks up the params in the config file. Only disadvantage is that you want it to pass "real" packets in to the kernel for normal processing so this is only useful in limited situations (when you can firewall a machine off completely from the Internet and only need it to serve up something within your organization). I was also considering writing something that uses FreeBSD's divert sockets since you could integrate that nicely with your firewall, but it wouldn't be as portable as the other approach (which would work wherever pcap works).

Anyway, this has been done. The paper seems slashdotted so I can't read it.

Sometimes deliberate, sometimes not.

[radon28]

From the Netcraft FAQ:

Why do you report impossible operating system/server combinations ?

Webservers that operate behind a caching system, load balancer, reverse proxy server or a firewall may sometimes report the operating system of the intermediate machine. Hence reports of 'Microsoft/IIS on Linux' may indicate that either the web server is behind a Linux server that is acting as a reverse proxy, or has configured the Akamai caching system such that the first request to the site goes to one of Akamai's servers [which run Linux], or as in the case of www.walmart.com has been configured to send a misleading signature.

Re:This is good (maybe not)

[dan+g]

Well I'm strongly against security through obscurity as a security infrastructure. However, as long as you have a solid, proven security infrastructure protecting your enviornment then adding a bit of obscurity over the top as an added layer can only be benefitial.

Yes, except you are implementing this security by fucking with your tcp/ip stack. In other words, you are taking the 'solid, proven security infrastructure' and stirring it up a bit. It is no longer proven to be solid so this bit of obscurity could have cost you some real security. Personally this is not a patch I'd go applying to production machines.

dan.

How much does it gain?

I wonder how clever this deception is? It's easy enough to grab the version advertisement, but more difficult to make your system respond the same way as another OS, especially if that other OS is 'broken' in regard to TCP/IP. The question is whether you want to mimic the 'bug for bug' behaviour...

There are some who disable ICMP response because it could help to show that a machine is active. Well, that's the canonical reason. But you can also use ICMP to (very slowly) move data, so at least in a far-fetched scenario it could be used a vector for attack.

Say someone wants to attack your server. NMAP shows the OS as Windows NT. However, attaching to port 80 shows an Apache version string that has been released with RedHat. The casual cracker may have been deterred by the OS advertisement, but anyone else would not have. If your defense depends to a large part on version obfuscation then you don't have a defense, simply put.

So you could grep through all the sources for version strings of all your internet exposed services, but that won't gain anything. Does version obfuscation hurt? Probably not. Neither does changing your user-agent string in the browser, except that fewer non-IE browsers will be tallied. For this reason alone I don't change my user-agent string, nor do I change my OS signatures (though I know how to).

honeyd does this already

[quigonn]

honeyd is able to do this already for quite a long time. With honeyd you can basically create "virtual hosts", running on another computer, with their own IP address, their own IP personality (it comes with a large database of them), and their own services (basically, every inetd-capable program can be used as server with it). You can even create a "virtual network" of them, with configurable routes, latency and packet loss. Indistinguishable from real computers and networks.

Last year at InfowarCon...

[sczimme]

I was one of the instructors in the war games lab. To make things interesting for the students, I distributed nmap with a modified nmap-os-fingerprints file. Windows 2000 machines were reported as Solaris 2.6 (X86) and so forth. Some of the student responses were interesting. :-)

cool, but... random ips used by worms...

[joejoejoejoe]

This is cool and all, but these days worms and virii select victims at random so your fingerprint won't make a damn bit of difference, except you might think you are a bit safer but you are not.

Yes, you sure can!

[fv]

Indeed, my site is just listed in passing, yet my web traffic suddenly tripled .

As for the paper, I found it interesting and amusing enough to announce to the nmap-hackers. I'm all for doing this to your personal machines for entertainment and experimental value, but would almost never recommend it as a serious security hardening technique. Your time is almost always better spent working on fundamental security improvements such as applying patches, tightening firewalls, installing IDS systems, removing unnecessary services and setuid binaries, auditing system logs, etc. And sometimes this type of spoofing can actually increase security risk. Nmap expects many modern UNIX operating systems to offer nearly-unpredictable generation of TCP initial sequence numbers and the IP ID field. Crippling the generators to appear as a printer can make you vulnerable to TCP connection spoofing and a plethora of vulnerabilities related to the new Nmap Idle Scan technique.

And remember that many or most worms and script kiddies simply spew their exploit code to every listening server rather than bothering with fingerprints. All the attempted IIS exploits in my Apache log are testament to that! And if you attract a more competent attacker, you probably won't fool them for long anyway.

-Fyodor
Concerned about your network security? Try the free Nmap Security Scanner

Nmap's revenge

[fv]

The systems described in the paper such as IP Personality and Honeyd (my favorite), work by watching for the exact probes as described in my fingerprinting paper and then responding as detailed in the Nmap OS DB. But what about all the other TCP/IP techniques for fingerprinting a system? Later this year, I hope to add about half a dozen, including selective ACKs, TTL-normal-reply, and TTL-RST-Echo. Once these are implemented, spoofed systems will appear as a Dreamcast (or whatever) using the old techniques and will be exposed as their real OS via the new techniques. So Nmap could offer fingerprints like "Linux 2.4 pretending to be a Laserwriter". And attackers could even scan the 'Net looking for spoofed boxes -- lets hope the spoofing modules/programs don't open any security holes of their own!

Of course, the spoofers will then update their software to recognize the new fingerprinting technique and the cycle begins anew. Ah well. I enjoyed Berrueta's paper, by the way.

-Fyodor
Concerned about your network security? Try the free Nmap Security Scanner