OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
RE: Block OS Detection

From: alan (alanclueserver.org)
Date: Tue Sep 04 2007 - 13:11:49 CDT


On Mon, 3 Sep 2007, Andrew Court wrote:

> Sup,
>
> Maybe an easier method would be to confuse any would be atacker by
> changing banner information to different versions and architectures. For
> example, if this is a linux box with apache, put IIS style error
> pages(403, 404 etc), and replace the banner information with what you
> would find on an IIS server. If I was doing an NMAP scan and it said
> Linux, but the banner information was that of a Windows Machine, I would
> be a bit confused, and may assume Nmap is lying(it does happen). You
> could move enable port knockng so the ssh port does not get found in the
> initial scans. Any further attempts at correctly identify the OS of the
> server, should be noisy enough for your IDS to pick it up.

There are also a couple of hacks that will "randomize" the responses from
tcp requests that make it difficult for nmap to determine which OS is
running. (I believe that nmap use a behavioral analysis of network
requests to determine the OS more than trusting any banner.)

With Apache, you can change the banner to report anything you want.
(Useful when building a honeypot.)

>
> Regards,
>
> Andrew Court
>
> IT Security Specialist | BT Retail - Ireland |
> E:Andrew.Courtbt.com |Mobile: +353 86 1720 692 | Fax: +353 1 432 5899|
> www.btireland.com
>
>
>
> -----Original Message-----
> From: Jonathan Yu [mailto:jonathan.i.yugmail.com]
> Sent: 01 September 2007 13:32
> To: Gadi Evron
> Cc: Attari Attari; pen-testsecurityfocus.com;
> pen-test-return-1078485025securityfocus.com
> Subject: Re: Block OS Detection
>
>
> Hi there,
>
> I am by no means an expert, but I believe that each TCP stack produces a
> "unique" signature. Each operating system's stack behaves a certain way
> and there are quirks based on the implementation, so I think that you
> will still be able to fingerprint the operating system based on those
> unless you do some sort of scrubbing (which would be pretty difficult).
> Perhaps replacing the entire stack with something used by a lot of
> people on different systems would give you the protection you require?
>
> Jonathan Yu
>
> On 9/1/07, Gadi Evron <gelinuxbox.org> wrote:
>> Not everything is good, but you can overwrite different packet values
>> using.. a firewall for example.
>>
>> Just one thingie.
>>
>>
>> On Fri, 31 Aug 2007, Attari Attari wrote:
>>
>>> Hello All:
>>>
>>> Is there a PRACTICAL solution from PRODUCTION
>>> environments that can be used to block OS detection
>>> from tools like NMAP? I googled and read some notes
>>> but couldn't find a real world solution to blocking
>>> Windows & Linux OS detection.
>>>
>>> I'm quite sure I'll get the right inputs here.
>>>
>>> Thank you.
>>>
>>> Attari
>>>
>>>
>>> Unlimited freedom, unlimited storage. Get it now, on
>>> http://help.yahoo.com/l/in/yahoo/mail/yahoomail/tools/tools-08.html/
>>>
>>> --------------------------------------------------------------------
>>> ----
>>> This list is sponsored by: Cenzic
>>>
>>> Need to secure your web apps NOW?
>>> Cenzic finds more, "real" vulnerabilities fast.
>>> Click to try it, buy it or download a solution FREE today!
>>>
>>> http://www.cenzic.com/downloads
>>> --------------------------------------------------------------------
>>> ----
>>>
>>
>> ----------------------------------------------------------------------
>> --
>> This list is sponsored by: Cenzic
>>
>> Need to secure your web apps NOW?
>> Cenzic finds more, "real" vulnerabilities fast.
>> Click to try it, buy it or download a solution FREE today!
>>
>> http://www.cenzic.com/downloads
>> ----------------------------------------------------------------------
>> --
>>
>>
>
> ------------------------------------------------------------------------
> This list is sponsored by: Cenzic
>
> Need to secure your web apps NOW?
> Cenzic finds more, "real" vulnerabilities fast.
> Click to try it, buy it or download a solution FREE today!
>
> http://www.cenzic.com/downloads
> ------------------------------------------------------------------------
>
> ------------------------------------------------------------------------
> This list is sponsored by: Cenzic
>
> Need to secure your web apps NOW?
> Cenzic finds more, "real" vulnerabilities fast.
> Click to try it, buy it or download a solution FREE today!
>
> http://www.cenzic.com/downloads
> ------------------------------------------------------------------------
>

--
Refrigerator Rule #1: If you don't remember when you bought it, Don't eat it.

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
------------------------------------------------------------------------