Re: Methods for evading Nmap OS Fingerprinting

["Alex Lambert" <alambert () quickfire org>]

David,

OpenBSD's "pf" has an interesting option called "scrub" that I don't believe
you explored. The URL for the manpage is
http://www.openbsd.org/cgi-bin/man.cgi?query=pf.conf&sektion=5&arch=i386&apr
opos=0&manpath=OpenBSD+Current and says:

   "Traffic normalization is used to sanitize packet content in such a way
     that there are no ambiguities in packet interpretation on the receiving
     side.  The normalizer does IP fragment reassembly to prevent attacks
that
     confuse intrusion detection systems by sending overlapping IP
fragments."

Some of its options, such as "random-id" could inhibit nmap success.



Cheers,

apl

----- Original Message -----
From: "David Barroso" <tomac () somoslopeor com>
To: <pen-test () securityfocus com>
Sent: Sunday, March 09, 2003 6:17 AM
Subject: Methods for evading Nmap OS Fingerprinting


> Hello,
> I've just released a brief paper about methods for defeating Nmap when
> guessing the remote OS. Since most pen-testers run Nmap for OS discover,
> they should know which apps are out there for fooling Nmap and how they
> work.
>
> http://voodoo.somoslopeor.com/papers.php
>
> --------------------------------------------------------------------------
--
> Are your vulnerability scans producing just another report?
> Manage the entire remediation process with StillSecure VAM's
> Vulnerability Repair Workflow.
> Download a free 15-day trial:
> http://www2.stillsecure.com/download/sf_vuln_list.html


----------------------------------------------------------------------------

Are your vulnerability scans producing just another report?
Manage the entire remediation process with StillSecure VAM's
Vulnerability Repair Workflow.
Download a free 15-day trial:
http://www2.stillsecure.com/download/sf_vuln_list.html