Penetration Testing mailing list archives

RE: Block OS Detection

From: alan <alan () clueserver org>
Date: Tue, 4 Sep 2007 11:11:49 -0700 (PDT)

On Mon, 3 Sep 2007, Andrew Court wrote:

Sup,

Maybe an easier method would be to confuse any would be atacker by
changing banner information to different versions and architectures. For
example, if this is a linux box with apache, put IIS style error
pages(403, 404 etc), and replace the banner information with what you
would find on an IIS server. If I was doing an NMAP scan and it said
Linux, but the banner information was that of a Windows Machine, I would
be a bit confused, and may assume Nmap is lying(it does happen). You
could move enable port knockng so the ssh port does not get found in the
initial scans. Any further attempts at correctly identify the OS of the
server, should be noisy enough for your IDS to pick it up.

There are also a couple of hacks that will "randomize" the responses fromtcp requests that make it difficult for nmap to determine which OS isrunning. (I believe that nmap use a behavioral analysis of networkrequests to determine the OS more than trusting any banner.)

With Apache, you can change the banner to report anything you want.(Useful when building a honeypot.)


Regards,

Andrew Court

IT Security Specialist | BT Retail - Ireland |
E:Andrew.Court () bt com |Mobile: +353 86 1720 692 | Fax: +353 1 432 5899|
www.btireland.com



-----Original Message-----
From: Jonathan Yu [mailto:jonathan.i.yu () gmail com]
Sent: 01 September 2007 13:32
To: Gadi Evron
Cc: Attari Attari; pen-test () securityfocus com;
pen-test-return-1078485025 () securityfocus com
Subject: Re: Block OS Detection


Hi there,

I am by no means an expert, but I believe that each TCP stack produces a
"unique" signature. Each operating system's stack behaves a certain way
and there are quirks based on the implementation, so I think that you
will still be able to fingerprint the operating system based on those
unless you do some sort of scrubbing (which would be pretty difficult).
Perhaps replacing the entire stack with something used by a lot of
people on different systems would give you the protection you require?

Jonathan Yu

On 9/1/07, Gadi Evron <ge () linuxbox org> wrote:

Not everything is good, but you can overwrite different packet values
using.. a firewall for example.

Just one thingie.


On Fri, 31 Aug 2007, Attari Attari wrote:

Hello All:

Is there a PRACTICAL solution from PRODUCTION
environments that can be used to block OS detection
from tools like NMAP? I googled and read some notes
but couldn't find a real world solution to blocking
Windows & Linux OS detection.

I'm quite sure I'll get the right inputs here.

Thank you.

Attari


     Unlimited freedom, unlimited storage. Get it now, on
http://help.yahoo.com/l/in/yahoo/mail/yahoomail/tools/tools-08.html/

--------------------------------------------------------------------
----
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
--------------------------------------------------------------------
----


----------------------------------------------------------------------
--
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
----------------------------------------------------------------------
--


------------------------------------------------------------------------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
------------------------------------------------------------------------

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
------------------------------------------------------------------------


--
Refrigerator Rule #1: If you don't remember when you bought it, Don't eat it.

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
------------------------------------------------------------------------

Current thread:

RE: Block OS Detection, (continued)
- - RE: Block OS Detection Gadi Evron (Sep 04)
  - RE: Block OS Detection Gadi Evron (Sep 04)
    - RE: Block OS Detection Philippe Bogaerts (Sep 04)
- Re: Block OS Detection Dotzero (Sep 04)
- Block OS Detection Jon DeShirley (Sep 04)
  - Re: Block OS Detection Joxean Koret (Sep 04)
  - Re: Block OS Detection Robert E. Lee (Sep 05)
    - Re: Block OS Detection Gadi Evron (Sep 05)
- Re: Block OS Detection sami seclist (Sep 04)
- RE: Block OS Detection Andrew Court (Sep 04)
  - RE: Block OS Detection alan (Sep 04)
  - RE: Block OS Detection Strykar (Sep 05)
- Re: Block OS Detection John Brazel (Sep 05)
  - RE: Block OS Detection Arafat M. Bique (Sep 05)
    - Re: Block OS Detection vtlists (Sep 05)