OpenBSD Journal

A practical approach for defeating Nmap OS-Fingerprinting

Contributed by jose on from the hiding-yourself dept.

David Barroso Berrueta has put together a list of rules and tools you can use to defeat Nmap OS fingerprinting. He's found several mechanisms on various OS flavors, and even shows simple rules to use in PF to defeat this fingerprinting. The document he put together is at http://voodoo.somoslopeor.com/papers/nmap.html .

(Comments are closed)

Comments

  1. By ben () on

    sysctl tweaks can also be used to fool os detection.
    ie:
    # this makes p0f consider my OpenBSD 3.4 as a WinXP SP1 (32767:128:1:48:M1452,N,N,S:) (cf. /etc/pf.os)
    # so don't do no-df dans pf.conf
    net.inet.tcp.recvspace=32767
    net.inet.tcp.sendspace=32767
    net.inet.ip.ttl=142 # desired value +14 (here: 128+14)


    those sysctl may have incluence, also:
    net.inet.tcp.sack
    net.inet.tcp.sack
    net.inet.tcp.rfc1323
    net.inet.ip.mtudisctimeout

    changing max-mss with pf (ie: scrub out all max-mss 1450 for instance) defeat the p0f link detection.

    you can check you're tweaks impact by visiting the p0f page there:
    http://lcamtuf.coredump.cx/p0f-help/

    of course, security through obscurity doesn't protect against good hackers but helps to avoid (the most common case of) script kiddies blindly scanning network range for some known exploitable hole with dumb scripts.

    and the hard job comes when you try to mask services banners (apache, ssh ...).

    Comments

    1. By Jedi/Sector One () j@pureftpd.org on http://www.pureftpd.org/

      More people running Windows, yeah!
      BSD is dying, thank you.

    2. By Anonymous Coward () on

      Very interesting! Wondering if I can setup a bridge with a honeypot system behind it using these or similar settings from pf.os to mimic a particular OS and have snort track their attempts...

      BTW, where's you get the 128+14 values from? I assume you just double your stock ttyl size then added +14 from somewhere?

      Comments

      1. By Anonymous Coward () on

        oops, where's = where'd and ttyl I meant TTL.

  2. By Jedi/Sector One () j@pureftpd.org on http://www.pureftpd.org/

    Is it a shame to run OpenBSD so that you poorly have to hide it ? So why do you run it ?

    That's great. Then people will keep saying that the total number of servers running OpenBSD is near zero. Thanks for encouraging this.

    Comments

    1. By Wim () on

      Maybe we should encourage Linux users to pretend to be OpenBSD?

      Oh wait, what if they all get rooted anyways?

    2. By Chris () on

      Ummm, because most openbsd users don't CARE? They want a secure setup, and if that means dickheads lobbing windows XP vulnerabilities at my openbsd box, then great.

      Comments

      1. By Frank Denis () on

      3. By Frank Denis () j@pureftpd.org on http://www.pureftpd.org/

        Sorry but I care.

        I care that vendors don't care about OpenBSD. For instance I don't know of any vendor of backup software that supports OpenBSD.

        Comments

        1. By Luiz Gustavo () on

          I had this problem once yes, but figure out our backup were much less painfull, reliable and inexpensive.

          Keep in mind not everytime you need a full blow solution.

          Unfortunally it can prolly keep you out from many enterprise weenies.

          Comments

          1. By Frank Denis () j@pureftpd.org on http://www.pureftpd.org/

            Right, dump and star are free and efficient ways of backuping systems. This is what I use at home.

            But this is not something my pointy hairy boss would tolerate. Backups are critical, we must purchase an expensive solution, with commercial support, etc.
            We finally bought Legato Networker. There's nothing but an old, totally unsupported FreeBSD client and absolutely nothing for OpenBSD. So we have to make backups through NFS...

            Comments

            1. By Luiz Gustavo () on

              Interesting how they are the same across the ocean...

              I only disagree if comercial support, unfortunally
              I've only had bad support from big vendors and varied level from 3rd party ones.

              Only this week I have seen my first AIX consultant with a clue, after five year working with it.

              Yes I share the same pain.

  3. By mr_scary () on

    While I myself have wanted to find out if this could be done after thinking about it I realize that doing so may make matters worse. Why try to hide the fact to a hacker that they have just encountered one of the most secure operating systems around? Someone here mentioned posing as a Windows box. Excuse me? Do you really want your machine to have to take the abuse of further probes and exploit attempts?

    It is cool though.

    Anyways, I asked Daniel Hartmeier (the creator of PF) on comp.unix.bsd.openbsd.misc this very question:

    > a) Is it possible to thwart OS fingerprinting? If so, how?

    Depends on what kind of fingerprinting. For netcraft, the following currently works

    scrub in on $ext_if all fragment reassemble
    scrub out on $ext_if all fragment reassemble

    Then block by default with return-rst, creating state only on flags S/SA.

    Your own outgoing TCP connections can be fingerprinted based on the various parameters in the TCP SYN, for instance changing

    sysctl -w net.inet.tcp.recvspace=8192
    sysctl -w net.inet.tcp.sendspace=8192

    or other non-default values, will change the signature.

    It will remain a race between detection and thwarting, there can't be a single 'thwart detection reliably for the next five years'
    switch, you'll have to regularly check how new detection algorithms work, and adjust parameters appropriately. It might not be worth the effort.

  4. By Anonymous Coward () on

    For all of you who think this is pointless, or who think that things like port knocking are pointless, I agree with you: don't use them if you don't need them. But there are always security needs and uses that might be surprising or unanticipated, and having these tools and capabilities out there is great. It is also interesting from a research perspective. I would love to see our favorite OS get more tricks like this. People will come up with innovative uses, and innovative uses have a way of turning into needs, with time.

    Comments

    1. By Anonymous Coward () on

      Nicely said!

      Comments

      1. By Anonymous Coward () on

        Thanks!

  5. By Michael () on http://e.molioner.dk/

    Please, read the reasons for using this crap. In particular, the second ``reason'' struck me as being complete nonsense:

    ``Having and unpatched or antique OS version is not very convenient for your company prestige. Imagine that your company is a bank and some users notice that you are running an unpatched box. They won't trust you any longer! In addition, these kind of 'bad' news are always sent to the public opinion.''

    Err, hallo? Should your users trust you if you are indeed running an unpatched machine?

    I think not. You truly deserve any public mocking that will hopefully follow a disclosure of such neglect.

  6. By Ken () on

    I'm a bit surprised to see this news posted today. I remember printing the article and reading it a long time ago (well, a few months before). Is there any particular reason to mention it now ?

Latest Articles

Credits

Copyright © - Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to as well as images and HTML templates were copied from the fabulous original deadly.org with Jose's and Jim's kind permission. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]