Penetration Testing mailing list archives

Re: Block OS Detection

From: Joxean Koret <joxeankoret () yahoo es>
Date: Tue, 04 Sep 2007 22:30:34 +0200

Hi,

The problem is that there is no real solution to do what Attari wants;
no real-world practical solution.

You can confuse a tool but not all the tools in the internet or a not
too skilled guy doing a _manual_ test. The unique way, IMHO, is by
putting  machines in front of the real production server (it may confuse
a little the tcp stack probes).

Anyway, reading the banners and analyzing how the applications in the
server answers (and what applications/protocols are being used) you can
guess the real operative system; various services (such as the stupid
dtscpd) will say even the architecture (sparc, i386) so...

Just my opinion.

PS: I don't consider interesting blocking OS detection, except as a
joke.

Regards,
Joxean Koret

On lun, 2007-09-03 at 10:51 -0700, Jon DeShirley wrote:

Changing default stack values will give you a little bit of protection
from OS fingerprinting, but there are usually other identifiers that
will give your stack away.  Dropping SYN+FIN, altering default TCL TTL
values, changing the default TCP window size, and a few other things
will fool a passive OS fingerprint.  A few of the techniques are
documented here: http://www.zog.net/Docs/nmap.html .

But this is all moot, unless you go through all your service banners
to sanitize them and block all default services (ie: Active Directory,
Linuxconf, or ToolTalk) that would give your platform away.


On 8/31/07, Attari Attari <c70n3 () yahoo co in> wrote:

Is there a PRACTICAL solution from PRODUCTION
environments that can be used to block OS detection
from tools like NMAP? I googled and read some notes
but couldn't find a real world solution to blocking
Windows & Linux OS detection.


------------------------------------------------------------------------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
------------------------------------------------------------------------

Attachment: signature.asc
Description: This is a digitally signed message part

Current thread:

Re: Block OS Detection Gadi Evron (Sep 01)
- Re: Block OS Detection Jonathan Yu (Sep 01)
- RE: Block OS Detection Ofer Shezaf (Sep 04)
  - RE: Block OS Detection Gadi Evron (Sep 04)
  - RE: Block OS Detection Gadi Evron (Sep 04)
    - RE: Block OS Detection Philippe Bogaerts (Sep 04)
- <Possible follow-ups>
- Re: Block OS Detection Dotzero (Sep 04)
- Block OS Detection Jon DeShirley (Sep 04)
  - Re: Block OS Detection Joxean Koret (Sep 04)
  - Re: Block OS Detection Robert E. Lee (Sep 05)
    - Re: Block OS Detection Gadi Evron (Sep 05)
- Re: Block OS Detection sami seclist (Sep 04)
- RE: Block OS Detection Andrew Court (Sep 04)
  - RE: Block OS Detection alan (Sep 04)
  - RE: Block OS Detection Strykar (Sep 05)
- Re: Block OS Detection John Brazel (Sep 05)
  - RE: Block OS Detection Arafat M. Bique (Sep 05)
    - Re: Block OS Detection vtlists (Sep 05)