Fooling NMAP for Whatever Reason 192
taviso writes "Are you bored with your OS fingerprint? Do you dream of being able to impress your friends by convincing them your webserver is running on a sega dreamcast, or Apple LaserWriter? Well Dream no more! David Berrueta has written a paper oulining the techniques and tools available to defeat nmap's OS fingerprinting, available here [pdf]. Besides the hours of entertainment this could provide, he also lists some of the more serious reasons why you might want to consider this."
Oh what fun (Score:4, Funny)
Re:Oh what fun (Score:5, Funny)
As opposed to just the sites where the stories are hosted?
First post (Score:1, Funny)
That would be very amusing... (Score:4, Interesting)
Re:That would be very amusing... (Score:1, Insightful)
Re:That would be very amusing... (Score:3, Funny)
What you'd really want to do is set the fingerprint to something like the old, unpatched Windows 95. Then the attackers will think "ROFL, dumbass admin running windoze! ATTACK!" and then your logs show some lame attack that might have worked on windows, but doesn't work on linux, and you get an early warning of any attacks that come your way
Re:That would be very amusing... (Score:2)
Already common practice (Score:5, Insightful)
Re:Already common practice (Score:1, Redundant)
walmart.com [netcraft.com]
Sometimes deliberate, sometimes not. (Score:5, Informative)
Why do you report impossible operating system/server combinations ?
Webservers that operate behind a caching system, load balancer, reverse proxy server or a firewall may sometimes report the operating system of the intermediate machine. Hence reports of 'Microsoft/IIS on Linux' may indicate that either the web server is behind a Linux server that is acting as a reverse proxy, or has configured the Akamai caching system such that the first request to the site goes to one of Akamai's servers [which run Linux], or as in the case of www.walmart.com has been configured to send a misleading signature.
Wal-Mart does it (Score:3, Insightful)
Cool :) (Score:5, Informative)
[rghf@localhost rghf]$ telnet foo.wibble 22
Trying foo.wibble...
Connected to foo.wibble
Escape character is '^]'.
SSH-2.0-OpenSSH_3.4p1 Debian 1:3.4p1-1
Shows I'm running debian (or am I?
Rus
Re:Cool :) (Score:1, Redundant)
Re:Cool :) (Score:2, Funny)
Re:Cool :) (Score:1)
Ummm... (Score:3, Informative)
Re:Cool :) (Score:2)
... and I thought telnet was port 23, not 22...
Re:Cool :) (Score:2)
Re:Cool :) (Score:1)
If you miss something small that can ID your OS, some who's determined might find it, but why would they bother if they think they already know?
Incorrect, boy wonder! (Score:2)
not so cool (Score:2)
The first thing I do when setting up _any_ *nix box is to ensure that you CAN'T telnet to it, period!!!!
Use only sshd.
Re:not so cool (Score:3, Insightful)
I can always telnet to a UNIX box - regardless if you remove telnetd or not.
It just that I have to use another port
I've sent email and surfed the web using telnet !
Telnet us very usefull to debug a port with a text protocol...
However it's not a secure way to log in to a box!
Telnetd (Score:2)
Slashdotted (Score:3, Funny)
Yes, you sure can! (Score:5, Insightful)
As for the paper, I found it interesting and amusing enough to announce [insecure.org] to the nmap-hackers [insecure.org]. I'm all for doing this to your personal machines for entertainment and experimental value, but would almost never recommend it as a serious security hardening technique. Your time is almost always better spent working on fundamental security improvements such as applying patches, tightening firewalls, installing IDS systems, removing unnecessary services and setuid binaries, auditing system logs, etc. And sometimes this type of spoofing can actually increase security risk. Nmap expects many modern UNIX operating systems to offer nearly-unpredictable generation of TCP initial sequence numbers and the IP ID field. Crippling the generators to appear as a printer can make you vulnerable to TCP connection spoofing and a plethora of vulnerabilities related to the new Nmap Idle Scan [insecure.org] technique.
And remember that many or most worms and script kiddies simply spew their exploit code to every listening server rather than bothering with fingerprints. All the attempted IIS exploits in my Apache log are testament to that! And if you attract a more competent attacker, you probably won't fool them for long anyway.
-Fyodor
Concerned about your network security? Try the free Nmap Security Scanner [insecure.org]
PDF MIRROR HERE (Score:5, Informative)
(But not before I d/led it to my local machine first!)
This is good (Score:5, Insightful)
If I know that I've done everything to protect my x86 Linux box from an attack if the attacker already knows it's an x86 Linux box, what distro it's running, has access to my network (assuming the attacker is an employee) etc. then why not make it so that script kiddies will think it's a commodore 64 and will try and exploit it as so?
Though security through obscurity is not a good idea as the only form of protection, it can add another blanket of support and I'm all for that as long as you understand what you're doing and why.
Re:This is good (Score:3, Insightful)
Re:This is good (Score:2, Interesting)
Re:This is good (Score:2)
If they can, then any attempt to change it to a IIS server could be piracy (!) and you'd get slapped with a hefty fine. Which would suck.
Re:This is good (Score:2, Funny)
We get even more crap directed against our webservers until we get tired, and declare it to be a BSD box.
Dammit, just give up asking my linux/apache server for "../../../../windows/" you morons!
Re:This is good (Score:5, Insightful)
Re:This is good (Score:2)
Re:This is good (Score:1)
True. Taking a look at this months logs, the number one requested document not found was
Re:This is good (Score:1)
Re:This is good (Score:2)
It's obviously not full proof but anything you can do as an admin to make a crackers job harder the better off you'll be.
Re:This is good (Score:2)
From the PDF:
The purpose of this paper is to try to enumerate and briefly describe all applications and technics deployed for defeating Nmap OS Fingerprint, but in any case, security by obscurity is not good approach; it can be a good security measure but please take into account that is more important to have a tight security environment (patches, firewalls, ids,
Re:This is good (maybe not) (Score:5, Insightful)
Yes, except you are implementing this security by fucking with your tcp/ip stack. In other words, you are taking the 'solid, proven security infrastructure' and stirring it up a bit. It is no longer proven to be solid so this bit of obscurity could have cost you some real security. Personally this is not a patch I'd go applying to production machines.
dan.
Re:This is good (Score:3, Insightful)
While you're at it, using the same technique to bait CodeRed and Slapper worms and hold them on your server for as long as possible might slow them down a bit too (if enough people were doing it). Unfortunately the Slapper variant that is still around has a 15 second timeout, but I've heard of tarpits keeping CodeRe
why emulate the IP stack (Score:1)
11 posts and already my browser is in for the long night.
Personaly I would have thought setting a couple of reserved bits in the header at random and change the telnet banner to "my other system is a skoda" and I suspect your will be just as well of
Re:why emulate the IP stack (Score:3, Insightful)
Something they've never seen before is interesting, and the would be hacker would likely pry a bit deeper. Giving them false information either makes them disinterested ("some idiot put up a Dreamcast on the web, how stupid") or leads them to attack in a way you are expecting, and that you know will be ineffective. Watching for these known false attacks could act as some part of an early warning al
Netcraft (Score:3, Insightful)
Re:Netcraft (Score:1)
Re:Netcraft (Score:2)
Re:Netcraft (Score:1)
People need to recognize that 'the Web' is only a part, and actually a fairly irrele
Netcraft confirms (Score:5, Funny)
(sorry. someone had to...)
Re:Netcraft confirms (Score:1)
Been there, done that... (Score:5, Funny)
Re:Been there, done that... (Score:2)
In fact, M$ has a whole lab full of x86/windoze machines setup (that were going to be the hotmail.com servers until the expirement went terribly wrong). They use this decoy when journalists and such come
My FTP banner (Score:5, Funny)
Re:My FTP banner (Score:3, Funny)
IIS ftp (Score:5, Funny)
Quoting from "Microsoft IIS 5 Administration" ) pp 52) ...
Longwinded way of saying Unix/Linux is percieved as being harder to crack. :)
Re:IIS ftp (Score:3, Insightful)
Re:IIS ftp (Score:3, Interesting)
These numbers are dated; the collection and calculation of data stopped in early August 2001 due to a site migration issue. We are currently working on this issue and should have it resolved in the near future.
and misleading:
There is a distinct difference in the way that vulnerabilities are counted for Microsoft Windows and other operating systems. For instance, applications for Linux and BSD are often grouped in as subcomponents with the operating systems that they
Re:IIS ftp (Score:3, Informative)
Adding "an additional ten vulnerabilities" would simply make the data even more meaningless than the authors of security focus already assert the data to be.
"The numbers presented below should not be considered a metric by which an accurate comparison of the vulnerability of one operating system versus another can be made."
But I'll play along:
Windows NT/2000 10 8 78 97 42
Debian 3 2 31 55 28
Debian GNU/L
Dogfood (Score:4, Interesting)
IP personality.. (Score:5, Informative)
Re:IP personality.. (Score:1)
Re:IP personality.. (Score:1)
This is not really new... (Score:2, Interesting)
I believe IP Personality [sourceforge.net] was there first.
(Unfortunately I can't get to the linked story at the moment to confirm this.)
Re:This is not really new... (Score:2, Informative)
"IP Personality
The first and probably, best option is IP Personality. It'a netfilter module (then, only available for 2.4 linux kernels) that allows us to change the IP stack behaviour and 'personality', having multiple network personalities depending on parameters that you can specify as an iptables rule. "
etc, etc, etc..
ObReadTheParentPostFirst (Score:2)
I said quite clearly that I could not get to the linked article:
(Unfortunately I can't get to the linked story at the moment to confirm this.)
Was that too cryptic?
Johny Cash Server (Score:4, Funny)
I'm servin' mah HTTP files from this here ol' guitar and my FTP files from an empty bottle-a-booze.
And this post, yes HTTP_REFERER was from the ol' cadillac factory I once worked at; the one where I snagged my dancin' machine car one peice at a time over twenty or some number of years-*HICUP*
-SlashdotTroll (because slashdot don't like me, my karma is terrible, and at -1 they only let me post twice in 24hours from this ol' Folsom prison I'm stuck in.)
reminds me of... (Score:2, Informative)
some researchers set up a unix server, went into a script kiddies irc channel and said they found this wide open windows box, saying it contained credit card numbers or something like that, giving the ip of their honeypot.
not one kiddie tried a unix sploit on the box, 100% of the attempts were exploits designed for windows.
so for fooling nmap, if you're a security admin, set up your windows boxen with unix fingerprints and vice/versa, and you'll a
think of it this way.... (Score:2)
You've probably already read through the NSA security guide [conxion.com], hardened the OS [systemexperts.com], DELETED [ntsecurity.nu] (not just disabled) the guest account, etc.
In which case, most of the k1dd13 hacks won't affect you...
Mirror (Score:3, Redundant)
Please mod this down so I don't get slashdotted too badly.
Very few actual portscans (Score:4, Informative)
Re:Very few actual portscans (Score:1, Informative)
On a related note, if you're running Samba, go get 2.2.8. Don't wait until Slashdot posts it to the main page.
Thank me later.
Re:Very few actual portscans (Score:2)
Re:Very few actual portscans (Score:2)
What you should be looking for is the precursor to portscans: Broadcast storms.
We have some (12mhz) sparc IPC's, running about 16 rstatd graphs a piece, sitting on top of our book shelves at work, so that we can see the status of all our machines. A couple of times a day, we see the packet traffic spike on all machines simultaneously because of a packet storm, packets getting sent to the broadcast address, and all that.
After those
Must not hide (Score:4, Informative)
If their computers start lying about their OS and software installed then the BSA will invade them and stick 100 lawyers on their head before you can say "Nmap"
Re:Must not hide (Score:2)
If I put all my windows servers behind a firewall, suddenly I have no windows servers! So I don't need any licenses! Hooray!
Re:Must not hide (Score:2)
If Hewlett Packard or something said "Uhhh we have a firewall and no Windows seats" then all it takes is ONE EMPLOYEE's sworn affidavit and he'll get a $250,000 BSA reward. Hewlett Packard's bosses will then even have their shit collected by lawyers to see if they'
I see no reason to NOT do this (Score:5, Insightful)
Re:I see no reason to NOT do this (Score:3, Funny)
Re:I see no reason to NOT do this (Score:1)
In fact, I may have to buy a XPort and see what I can do.
Last year at InfowarCon... (Score:5, Interesting)
I was one of the instructors in the war games lab. To make things interesting for the students, I distributed nmap with a modified nmap-os-fingerprints file. Windows 2000 machines were reported as Solaris 2.6 (X86) and so forth. Some of the student responses were interesting.
Re:Last year at InfowarCon... (Score:1)
True - you could have been a real bastard, and redirected port 80 and DNS requests to your own mirror, but there's always a dialup if you look far enough...
Moral - if I , was at a conference dedicated to security, I'd take nothing for granted.
But, as they say round here, "there's nowt so queer as folks."
Re:I see no reason to NOT do this (Score:2, Funny)
I use this so that people think my Sega Dreamcast, TI calculator, and Epson Dot Matrix are normal servers.
been done, in production (Score:4, Informative)
Takes a completely different approach to what I was thinking - I was thinking of doing it all in userspace. Run some daemon that uses libpcap and "responds" to certain ports like a real machine. Basically means a TCP stack in userspace, so it's not a trivial undertaking but still lots of fun. I was also thinking of making it use nmap's own configuration files so you can simply specify what OS you want it to look like and it looks up the params in the config file. Only disadvantage is that you want it to pass "real" packets in to the kernel for normal processing so this is only useful in limited situations (when you can firewall a machine off completely from the Internet and only need it to serve up something within your organization). I was also considering writing something that uses FreeBSD's divert sockets since you could integrate that nicely with your firewall, but it wouldn't be as portable as the other approach (which would work wherever pcap works).
Anyway, this has been done. The paper seems slashdotted so I can't read it.
no need.. portsentry? (Score:1)
People who scan my servers get their routes dropped. Why would I want to fool them for being fools and scanning my servers?
Re:no need.. portsentry? (Score:3, Insightful)
Unless it is an all out attack, I just report it to the netblock owner. Most of the time (almost always) the report goes ignored and unanswered.
portsentry? (Score:2)
The alternative, and to me far more sensible, approach, is to drop all packets that aren't something you want, in a firewall, up ahead. If someone treats you to a multi-port scan, well, it appears in the logs. If someone scans you on a port on which you're listen
Re:portsentry? (Score:2)
I agree with what you say, but I do firewall everything, and only let in what I want. However, I do also open pinholes for portsentry to listen on.
I either move SSH to another port, and put portsentry listening on tcp/22, or just open some commonly used service port that isn't running on my machine. (imap, pop3, ftp, telnet, snmp - you get the idea).
I get the firewalling, plus it dumps an IPtables rule in for any idiot scripts, portscanners, kiddies. Not infalible, but it makes it a little mo
Religious war now! (Score:1, Flamebait)
See the url above if you wish to purify yourself.
Favourite OS of Choice (Score:2)
So: What would your facourite OS of choice to pretend be and why aren't you using it anyway?
How much does it gain? (Score:4, Interesting)
There are some who disable ICMP response because it could help to show that a machine is active. Well, that's the canonical reason. But you can also use ICMP to (very slowly) move data, so at least in a far-fetched scenario it could be used a vector for attack.
Say someone wants to attack your server. NMAP shows the OS as Windows NT. However, attaching to port 80 shows an Apache version string that has been released with RedHat. The casual cracker may have been deterred by the OS advertisement, but anyone else would not have. If your defense depends to a large part on version obfuscation then you don't have a defense, simply put.
So you could grep through all the sources for version strings of all your internet exposed services, but that won't gain anything. Does version obfuscation hurt? Probably not. Neither does changing your user-agent string in the browser, except that fewer non-IE browsers will be tallied. For this reason alone I don't change my user-agent string, nor do I change my OS signatures (though I know how to).
Re:How much does it gain? (Score:2)
house fly webserver (Score:1)
honeyd does this already (Score:5, Informative)
cool, but... random ips used by worms... (Score:3, Funny)
Hi (Score:3, Informative)
Exported bookmarks Fingerprint
blackhole(4) - a sysctl(8) MIB for manipulating TCP [gsp.com]
Help Net Security OS-FngrPrint article in PDF [net-security.org]
Honeyd - Network Rhapsody for You [umich.edu]
http://ojnk.sourceforge.net/stuff/iplog.readme [sourceforge.net]
http://www.insecure.org/nmap/nmap-fingerprinting-
IP Personality - Home [sourceforge.net]
Kernel Options [freebsd.org]
p0f file listing [stearns.org]
PhoneBoys FireWall-1 FAQs: Blocking queSO packets [phoneboy.com]
s0ftpr0ject 2000 Fingerprint Fucker [s0ftpj.org]
Security Technologies [innu.org]
SourceForge.net: Project Info - SING [sourceforge.net]
Sys-Security.com - Because Security is not Trivial [sys-security.com]
USENIX Technical Program - Abstract - Security Symposium - 2000 [usenix.org]
my server... (Score:1)
Well, what other purpose would this serve other than convincing people that your server is a Com64. I sure as hell don't know a better reason
All very well and good. (Score:3, Insightful)
So ractically speaking, 99.999% mundane risks (kiddies, scripts, worms) out there do minimal OS detection, and pretty much shoot attacks at random IP's. Those that do some form of detection before trying to attack certainly aren't using NMAP to scan (server version detection is far more common, and is not limited to version strings.
For my money the time spent on stack-signature obfuscation would be far better invested in actual security measures (e.g. staying up to date on patches, implementing defense-in-depth or deploying hardened OS's.
Sure, if you're going to put your servers behind a load ballancer, packet filter or proxy, then you may well get a measure of obfuscation for free, but if the security implementation on the screened systems is no good you're going to get rooted anyway.
Is this how iastate.edu does it? (Score:2, Interesting)
If you use NetCraft [netcraft.com] to see what Iowa State [iastate.edu] is running, it says they are using /bin/sh as their webserver. Here [netcraft.com] are the results.
Is this related? How do they do that? It must be a joke.
Please don't comfuse NetCraft with Port Scanners (Score:1, Informative)
Nmap is a port scanner, it scans ports. Every tcp packet contains a fingerprint. That fingerprint can be analysed to give the os.
NetCraft uses a http server scanner. It only scans port 80 for a http server and analyses its results
That means:
a) These are Two Completely different things
b) It's much easier to fool NetCraft than nmap
Nmap's revenge (Score:5, Interesting)
The systems described in the paper such as IP Personality and Honeyd (my favorite), work by watching for the exact probes as described in my fingerprinting paper [insecure.org] and then responding as detailed in the Nmap OS DB. But what about all the other TCP/IP techniques for fingerprinting a system? Later this year, I hope to add about half a dozen, including selective ACKs, TTL-normal-reply, and TTL-RST-Echo. Once these are implemented, spoofed systems will appear as a Dreamcast (or whatever) using the old techniques and will be exposed as their real OS via the new techniques. So Nmap could offer fingerprints like "Linux 2.4 pretending to be a Laserwriter". And attackers could even scan the 'Net looking for spoofed boxes -- lets hope the spoofing modules/programs don't open any security holes of their own!
Of course, the spoofers will then update their software to recognize the new fingerprinting technique and the cycle begins anew. Ah well. I enjoyed [insecure.org] Berrueta's paper, by the way.
-Fyodor
Concerned about your network security? Try the free Nmap Security Scanner [insecure.org]
Fyodor....... (Score:1)
Thanks for all you've done for network security over the last few years - us poor mortals have to rely on proper smart guys like you for the real work.
This is no bull - you have done as much for network security as anyone that has ever written a firewall, and more than most.
I say again - respect! and big ups to Fyodor!!!!!
Purpose of OS detection (Score:1, Funny)
Mirror of paper (Score:2)
www.si20.com/nmap.php [si20.com]