Nmap Announce mailing list archives
Re: OS Detection Question
From: Fyodor <fyodor () insecure org>
Date: Sun, 7 May 2000 19:23:04 -0700 (PDT)
On Fri, 5 May 2000, Mr. Man wrote:
On Fri, 5 May 2000, Cameron Palmer wrote:You'll list off your security measures and say we're lying about the OS type, and how is it your OS masking hasn't introduced a new problem.What problems might it introduce? So far I've read of none associated with either the Linux patches, or with dropping packets with odd combinations of TCP header flags set. This is not like just turning off all ICMP and watching path MTU discovery break.
Attempting to defeat OS detection could cause all sorts of problems. And in fact, the current attempts DO cause all sorts of problems. So far, I have seen two main tools discussed for this purpose: iplog -z (or --fool-nmap=true) : The man page for iplog (http://ojnk.sourceforge.net/iplog.8.html) states: "Warning: This option is dangerous and can set off network traffic storms." KOSF ( http://www.hit2000.org/kosf/ ): This page says: "As most of the systems that kosf can fake utilize the so called 64K rule, it gets easier to spoof the sequence number. But then again, it is probably clear that faking an apple color laserwriter on a high load computer is not a very good plan, as the printer was not designed for that... " One of the main OS detection techniques Nmap uses is to ask the machine what its capabilities are. If you falsely claim to not have the capabilities, you could lose important security/efficiency functionality. If you falsely claim to have these, you could break normal programs which expect you to back that up. Other OS tests involve security -- for example TCP sequence prediction tests and IP.ID prediction (not currently implemented). I think compromising security features of your OS just to obscure the type/version number is a bad idea. And it is of course worth noting that true OS stealthing is basically unachievable. You may be able to trick nmap with the default arguments, but skilled attackers may use other tests and can also make inferences based ont the raw nmap fingerprint. Clearly, obscuring your OS (even from script kiddies) can have at least some marginal value. But I certainly wouldn't risk futzing with my kernel to achieve them. Others may (and do) see the tradeoff differently and might consider OS detection spoofing in some circumstances. But it seems that almost everyone agrees that: 1) Never try to mask a real security vulnerability by pretending you are using an OS that is not vulnerable. Fix the hole! 2) Make sure you take care of fundamental security issues like closing unused ports, adding your filtering rules, and applying the latest patches before worrying about esoteric stuff like OS detection spoofing. 3) Don't become complacent or any less vigilant about aggressive security maintenance and monitoring just because you think you have hidden your OS information. Cheers, Fyodor
Current thread:
- OS Detection Question John Turner (May 03)
- Re: OS Detection Question Fyodor (May 03)
- Re: OS Detection Question Bruno Morisson (May 03)
- Re: OS Detection Question Saint skullY the Dazed (May 03)
- Re: OS Detection Question Marco Belmonte (May 04)
- Re: OS Detection Question Mr. Man (May 04)
- Re: OS Detection Question Cameron Palmer (May 05)
- Re: OS Detection Question Mr. Man (May 05)
- Re: OS Detection Question Fyodor (May 07)
- Re: Nmap vs DTK ? Nicodimus (May 11)
- Re: OS Detection Question Saint skullY the Dazed (May 04)
- Re: OS Detection Question Brian Kifiak (May 04)
- <Possible follow-ups>
- Re: OS Detection Question Nelson (May 04)