Slashdot Mirror

← Back to Stories (view on slashdot.org)

Fooling NMAP for Whatever Reason

Posted by CmdrTaco on from the well-now-isn't-that-fun dept.

taviso writes "Are you bored with your OS fingerprint? Do you dream of being able to impress your friends by convincing them your webserver is running on a sega dreamcast, or Apple LaserWriter? Well Dream no more! David Berrueta has written a paper oulining the techniques and tools available to defeat nmap's OS fingerprinting, available here [pdf]. Besides the hours of entertainment this could provide, he also lists some of the more serious reasons why you might want to consider this."

8 of 192 comments (clear)

  1. PDF MIRROR HERE by scubacuda · · Score: 5, Informative
    I googled and found a mirror PDF site.

    (But not before I d/led it to my local machine first!)

  2. This is good by garett_spencley · · Score: 5, Insightful

    Well I'm strongly against security through obscurity as a security infrastructure. However, as long as you have a solid, proven security infrastructure protecting your enviornment then adding a bit of obscurity over the top as an added layer can only be benefitial.

    If I know that I've done everything to protect my x86 Linux box from an attack if the attacker already knows it's an x86 Linux box, what distro it's running, has access to my network (assuming the attacker is an employee) etc. then why not make it so that script kiddies will think it's a commodore 64 and will try and exploit it as so?

    Though security through obscurity is not a good idea as the only form of protection, it can add another blanket of support and I'm all for that as long as you understand what you're doing and why.

  3. Netcraft confirms by RLiegh · · Score: 5, Funny

    OS fingerprinting is dying!

    (sorry. someone had to...)

  4. IIS ftp by larry+bagina · · Score: 5, Funny
    The Windows IIS FTP server has an option to spew MS-DOS style output or Unix style output.

    Quoting from "Microsoft IIS 5 Administration" ) pp 52) ...

    Although there are very sophisticated hackers who will attempt to break into your FTP sites through some very sophisticated means, you shouldn't make life any easier for them. Using the UNIX-style output can actually fend off some hackers because they cannot see the Microsoft FTP Service header at log on and see only the UNIX-style directory listing. This could make them believe they are using a UNIX/Linux server.

    Longwinded way of saying Unix/Linux is percieved as being harder to crack. :)

    --
    Do you even lift?

    These aren't the 'roids you're looking for.

  5. IP personality.. by RatOfTheLab · · Score: 5, Informative

    Someone thought about OS fingerprint obfuscating a while ago... http://ippersonality.sourceforge.net/

  6. honeyd does this already by quigonn · · Score: 5, Informative

    honeyd is able to do this already for quite a long time. With honeyd you can basically create "virtual hosts", running on another computer, with their own IP address, their own IP personality (it comes with a large database of them), and their own services (basically, every inetd-capable program can be used as server with it). You can even create a "virtual network" of them, with configurable routes, latency and packet loss. Indistinguishable from real computers and networks.

    --
    A monkey is doing the real work for me.
  7. Yes, you sure can! by fv · · Score: 5, Insightful
    Indeed, my site is just listed in passing, yet my web traffic suddenly tripled .

    As for the paper, I found it interesting and amusing enough to announce to the nmap-hackers. I'm all for doing this to your personal machines for entertainment and experimental value, but would almost never recommend it as a serious security hardening technique. Your time is almost always better spent working on fundamental security improvements such as applying patches, tightening firewalls, installing IDS systems, removing unnecessary services and setuid binaries, auditing system logs, etc. And sometimes this type of spoofing can actually increase security risk. Nmap expects many modern UNIX operating systems to offer nearly-unpredictable generation of TCP initial sequence numbers and the IP ID field. Crippling the generators to appear as a printer can make you vulnerable to TCP connection spoofing and a plethora of vulnerabilities related to the new Nmap Idle Scan technique.

    And remember that many or most worms and script kiddies simply spew their exploit code to every listening server rather than bothering with fingerprints. All the attempted IIS exploits in my Apache log are testament to that! And if you attract a more competent attacker, you probably won't fool them for long anyway.

    -Fyodor
    Concerned about your network security? Try the free Nmap Security Scanner

  8. Nmap's revenge by fv · · Score: 5, Interesting

    The systems described in the paper such as IP Personality and Honeyd (my favorite), work by watching for the exact probes as described in my fingerprinting paper and then responding as detailed in the Nmap OS DB. But what about all the other TCP/IP techniques for fingerprinting a system? Later this year, I hope to add about half a dozen, including selective ACKs, TTL-normal-reply, and TTL-RST-Echo. Once these are implemented, spoofed systems will appear as a Dreamcast (or whatever) using the old techniques and will be exposed as their real OS via the new techniques. So Nmap could offer fingerprints like "Linux 2.4 pretending to be a Laserwriter". And attackers could even scan the 'Net looking for spoofed boxes -- lets hope the spoofing modules/programs don't open any security holes of their own!

    Of course, the spoofers will then update their software to recognize the new fingerprinting technique and the cycle begins anew. Ah well. I enjoyed Berrueta's paper, by the way.

    -Fyodor
    Concerned about your network security? Try the free Nmap Security Scanner