Re: OS Detection Question

[Fyodor <fyodor () insecure org>]

On Wed, 3 May 2000, John Turner wrote:

> Is there a way to completely fool (or block) OS detection from
> scanners (like nmap, queso, etc.) using the Linux OS? What about
> Windoze?

Yes, it is actually pretty easy.  Just change one of the values they look
for (like initial window size) -- see
http://www.insecure.org/nmap/nmap-fingerprinting-article.html .  Nmap does
not make a "best guess".  It requires everything in the fingerprint to
match a nmap-os-fingerprints template before it gives a positive result.  
Otherwise it says "none found".  So if you change one attribute on your
machine to something not found in the wild, Nmap will give a "not found"
result.

However, a skilled user will be able to look at the returned fingerprint,
compare it to those in nmap-os-fingerprints, and probably figure out what
you have changed and what OS you are running.

Admittedly, Nmap could also make a "best guess" at the OS by finding and
reporting the fingerprint which most closely resembles the one detected.  
Maybe I'll add an option to do that.  But there are two problems with
guessing by default:

1) When a (normal) machine does not match any fingerprints, it is very
useful for people to report the fingerprint.  If Nmap "guesses"
(especially if the guess is correct or only off by a version number),
people are far less likely to report the fingerprint.

2) Obviously a guess increases the chance of a false positive.  It is
often better to say "I don't know the OS" than to guess and be wrong.

Cheers,
Fyodor

--
Fyodor                            'finger pgp () pgp insecure org | pgp -fka'
Frustrated by firewalls?          Try nmap: http://www.insecure.org/nmap/
"Hacking is not about answers. Hacking is about the path you take to find
 the answers." --ReDragon