Penetration Testing mailing list archives
Re: Block OS Detection
From: Joxean Koret <joxeankoret () yahoo es>
Date: Tue, 04 Sep 2007 22:30:34 +0200
Hi, The problem is that there is no real solution to do what Attari wants; no real-world practical solution. You can confuse a tool but not all the tools in the internet or a not too skilled guy doing a _manual_ test. The unique way, IMHO, is by putting machines in front of the real production server (it may confuse a little the tcp stack probes). Anyway, reading the banners and analyzing how the applications in the server answers (and what applications/protocols are being used) you can guess the real operative system; various services (such as the stupid dtscpd) will say even the architecture (sparc, i386) so... Just my opinion. PS: I don't consider interesting blocking OS detection, except as a joke. Regards, Joxean Koret On lun, 2007-09-03 at 10:51 -0700, Jon DeShirley wrote:
Changing default stack values will give you a little bit of protection from OS fingerprinting, but there are usually other identifiers that will give your stack away. Dropping SYN+FIN, altering default TCL TTL values, changing the default TCP window size, and a few other things will fool a passive OS fingerprint. A few of the techniques are documented here: http://www.zog.net/Docs/nmap.html . But this is all moot, unless you go through all your service banners to sanitize them and block all default services (ie: Active Directory, Linuxconf, or ToolTalk) that would give your platform away. On 8/31/07, Attari Attari <c70n3 () yahoo co in> wrote:Is there a PRACTICAL solution from PRODUCTION environments that can be used to block OS detection from tools like NMAP? I googled and read some notes but couldn't find a real world solution to blocking Windows & Linux OS detection.------------------------------------------------------------------------ This list is sponsored by: Cenzic Need to secure your web apps NOW? Cenzic finds more, "real" vulnerabilities fast. Click to try it, buy it or download a solution FREE today! http://www.cenzic.com/downloads ------------------------------------------------------------------------
Attachment:
signature.asc
Description: This is a digitally signed message part
Current thread:
- Re: Block OS Detection Gadi Evron (Sep 01)
- Re: Block OS Detection Jonathan Yu (Sep 01)
- RE: Block OS Detection Ofer Shezaf (Sep 04)
- RE: Block OS Detection Gadi Evron (Sep 04)
- RE: Block OS Detection Gadi Evron (Sep 04)
- RE: Block OS Detection Philippe Bogaerts (Sep 04)
- <Possible follow-ups>
- Re: Block OS Detection Dotzero (Sep 04)
- Block OS Detection Jon DeShirley (Sep 04)
- Re: Block OS Detection Joxean Koret (Sep 04)
- Re: Block OS Detection Robert E. Lee (Sep 05)
- Re: Block OS Detection Gadi Evron (Sep 05)
- Re: Block OS Detection sami seclist (Sep 04)
- RE: Block OS Detection Andrew Court (Sep 04)
- RE: Block OS Detection alan (Sep 04)
- RE: Block OS Detection Strykar (Sep 05)
- Re: Block OS Detection John Brazel (Sep 05)
- RE: Block OS Detection Arafat M. Bique (Sep 05)
- Re: Block OS Detection vtlists (Sep 05)
- RE: Block OS Detection Arafat M. Bique (Sep 05)