Nmap Announce mailing list archives

Re: Fingerprint?

From: //Stany <stany () pet notbsd org>
Date: Tue, 5 Jan 1999 19:18:38 -0500 (EST)

On Tue, 5 Jan 1999, Takacs Istvan wrote:

Where can I find any document about the OS's
fingerprinting?


Well, the article that Fyodor has on his site
http://www.insecure.org/nmap/nmap_doc.html
is pretty extensive.   You might also want to read the phrack article
that have appeared in phrack 54 and catch up on your bugtraq reading.

Also you might want to look at the source of queso and nmap.

I manage some web servers, and I don't want to
enable this kind of scanning.

Or could you offer any method to disable this
'feature' in the OS level?


I afraid not, although you can try recompiling your kernel (if your OS has
kernel source available) with some modifications to the networking code to
imitate that your OS is different from what it is in fact.  Alternatively
I have heard that there is a way under Solaris to poke some values in the
kernel with ndd to change some of the responces to nmap quieries, but I
have not heard from that person again (anyone knows more?) 

As the knowing of the remote OS is rather useless withgout a daemon to
exploit to gain a remote entry (at least to most crackers), if you are
running Linux or BSD, I can recommend running it one one of the less
commonly used platforms.  In my tests both ARMLinux (On Corel NetWinder,
kernel 2.0.31 on builds 3-10, and kernel 2.0.35 on build 12)
and SPARCLinux (On SS10-612, running RH 5.1-5.2 SPARC) were detected
correctly by nmap as Linux 2.0.3x, but average person would most probably
assume that the hardware that is used is Intel (And besides how many
crackers know SPARC or ARM assembly or can obtain ready shellcodes?   Way
lesser number of people  then those who can do Intel assembly) based.  

Alternatively you most probably could build a proxy-firewall, which will
be a single secure machine with little on it other then firewalling rules
and ability to relay the requests to firewalled web servers and relay back
the responces.  Again, my experience is with Solaris and Linux, and I know
that this is not that complicated under latter.

If you have found a way that works and that I have overlooked, I would be
very interested to hear about it.

Thanks a lot!

Best of luck.

Regards,

              Istvan


//Stany

-- 
+-----------------------------------------------------------------------------+
|         Stanislav N. Vardomskiy - Procurator Odiosus Ex Infernis[TM]        |
|        This message is brought to you by letters jey, ow, el and tee.       |
|              Jolt!  For all the sugar and twice the caffeine.               |
+-----------------------------------------------------------------------------+

Current thread:

Fingerprint? Takacs Istvan (Jan 05)
- Re: Fingerprint? //Stany (Jan 05)
  - Re: Fingerprint? Takacs Istvan (Jan 06)
    - Detected NMAP scan Lamont Granquist (Jan 06)