[OSFP] a solution against 'xprobe2' and 'nmap -O' ??



Amine Elleuch
07-09-2005, 11:52 PM
Hi there,

I'm looking for a solution that can make impossible to a hacker to get
the OS version of my servers by FringerPrinting (using for example
'nmap -O' or 'xprobe2'). Anyone who knows an efficient mean ??

I heared about IP personnality for Linux, an equivalent for windows ?
There are some tools designed for windows ?

Thanks in advance,

Amine

Steve Clark [MSFT]
07-09-2005, 11:52 PM
IPsec works nicely.

You can see on a sniffer for example that the syn-ack never gets sent from
an IPsec enabled responder back to the would-be attacker. Since the
"attacker" is probably not able to AuthN with IKE, they won't see
*anything*. No listening ports, nada. The host simply won't respond.



"Amine Elleuch" <amine.elleuch@gmail.com> wrote in message
news:1116882997.462673.247810@g43g2000cwa.googlegroups.com...
> Hi there,
>
> I'm looking for a solution that can make impossible to a hacker to get
> the OS version of my servers by FringerPrinting (using for example
> 'nmap -O' or 'xprobe2'). Anyone who knows an efficient mean ??
>
> I heared about IP personnality for Linux, an equivalent for windows ?
> There are some tools designed for windows ?
>
> Thanks in advance,
>
> Amine
>

Imhotep
07-09-2005, 11:52 PM
Amine Elleuch wrote:

> Hi there,
>
> I'm looking for a solution that can make impossible to a hacker to get
> the OS version of my servers by FringerPrinting (using for example
> 'nmap -O' or 'xprobe2'). Anyone who knows an efficient mean ??
>
> I heared about IP personnality for Linux, an equivalent for windows ?
> There are some tools designed for windows ?
>
> Thanks in advance,
>
> Amine


I am not sure if this is at all possible. Different OSes can be finger
printed by certain traits they possess even in the TCP three-way handshake.

If you do infact add some kind of software to try an mimic another operating
system, you could be making things worse because you now have another piece
of software to patch and manage, not to meantion any piece of software
operating at this level could result in a hack/crack if it contains a
bug...

In short, I do not see many positives by using such a piece of software...


-Im

Karl Levinson, mvp
07-09-2005, 11:52 PM
Simple. Just use a firewall. Such fingerprinting of NMAP requires certain
ports respond to various packet probes.

Note that hiding your OS from such a scan does very little to help your
security. Most attackers don't bother to check before they attack.

An attacker on or near your local network may be able to guess your OS
passively just by sniffing your network traffic, but again a firewall could
help here. But when you browse the Internet, your web browser usually
announces what OS it's on with every request, and again someone could
possibly detect that.

I would probably ignore such probes, since they are probably not skilled
attackers.



"Amine Elleuch" <amine.elleuch@gmail.com> wrote in message
news:1116882997.462673.247810@g43g2000cwa.googlegroups.com...
> Hi there,
>
> I'm looking for a solution that can make impossible to a hacker to get
> the OS version of my servers by FringerPrinting (using for example
> 'nmap -O' or 'xprobe2'). Anyone who knows an efficient mean ??
>
> I heared about IP personnality for Linux, an equivalent for windows ?
> There are some tools designed for windows ?
>
> Thanks in advance,
>
> Amine
>

Imhotep
07-09-2005, 11:52 PM
Karl Levinson, mvp wrote:

> Simple. Just use a firewall. Such fingerprinting of NMAP requires
> certain ports respond to various packet probes.

A firewall will only help in the case that you do not need/allow any
incoming connects (ports). In the case that you *do* need incoming ports it
will not help out much (from hiding your OS type, etc)

> Note that hiding your OS from such a scan does very little to help your
> security. Most attackers don't bother to check before they attack.

Not true. This, OS finger printing, is good during the reconnaissance phase
of hacking/cracking...ie know your enemy before engaging your enemy.

> An attacker on or near your local network may be able to guess your OS
> passively just by sniffing your network traffic, but again a firewall
> could
> help here.

If your local LAN is a switched environment then this is not true. In a
switched LAN environment they will only see you broadcasts (typically ARP
requests) and your multicasts (if you use anything that uses multicasts
that is). For someone to passively "hear" you communications they need:

1) Access to a router that you are passing traffic through
2) You and them are on a shared media (hub ie non switched)
3) Access to the switch you are on (and using port mirroring)
4) There is probably something else, I can't remember... :-(

> But when you browse the Internet, your web browser usually
> announces what OS it's on with every request, and again someone could
> possibly detect that.

True. Some browsers allow you to configure what it sends out. KDE's
Konqueror is one. *YOU* tell it what it is allowed to tell web servers.
Pretty cool.

> I would probably ignore such probes, since they are probably not skilled
> attackers.

That's a mighty big assumption....What is your IP address? Ah
pool-71-240-224-184.fred.east.verizon.net..nevermind.

:-)
-Im

> "Amine Elleuch" <amine.elleuch@gmail.com> wrote in message
> news:1116882997.462673.247810@g43g2000cwa.googlegroups.com...
>> Hi there,
>>
>> I'm looking for a solution that can make impossible to a hacker to get
>> the OS version of my servers by FringerPrinting (using for example
>> 'nmap -O' or 'xprobe2'). Anyone who knows an efficient mean ??
>>
>> I heared about IP personnality for Linux, an equivalent for windows ?
>> There are some tools designed for windows ?
>>
>> Thanks in advance,
>>
>> Amine
>>

Karl Levinson [x y] mvp
07-09-2005, 11:52 PM
"Imhotep" <NoSpam@nothanks.net> wrote in message
news:BfEke.150$_36.22@fed1read03...

> A firewall will only help in the case that you do not need/allow any
> incoming connects (ports). In the case that you *do* need incoming ports
it
> will not help out much (from hiding your OS type, etc)

Which most home users don't. Even if you need to open one or two ports, I
believe nmap needs a few more than that to be open to do an active
fingerprint scan, at least some of which must be UDP ports. Most users very
rarely need to open udp ports inbound.

> > Note that hiding your OS from such a scan does very little to help your
> > security. Most attackers don't bother to check before they attack.
>
> Not true. This, OS finger printing, is good during the reconnaissance
phase
> of hacking/cracking...ie know your enemy before engaging your enemy.

You've been reading too much "hacking exposed" books. Most home users are
not likely to encounter an attacker that bothers to enumerate the OS, and a
skilled attacker would probably not be using such a noisy and easy to detect
scan as nmap's active OS fingerprinting. If you keep your system at least
reasonably secure, you have nothing to worry about from fingerprinting.

> > An attacker on or near your local network may be able to guess your OS
> > passively just by sniffing your network traffic, but again a firewall
> > could
> > help here.
>
> If your local LAN is a switched environment then this is not true. In a
> switched LAN environment they will only see you broadcasts (typically ARP
> requests) and your multicasts (if you use anything that uses multicasts
> that is). For someone to passively "hear" you communications they need:

Don't rely on switches for security, they are not secure. It is trivial to
sniff on a switch using free software, and I would still consider that
"passive" sniffing, as no scan packets necessarily need to be directed at
the target host.

> True. Some browsers allow you to configure what it sends out. KDE's
> Konqueror is one. *YOU* tell it what it is allowed to tell web servers.
> Pretty cool.

Agreed, it is a nice feature. Pretty much all browsers let you change the
user-agent string, including IE 6 [programmed some 6 years ago] and Firefox.

> > I would probably ignore such probes, since they are probably not skilled
> > attackers.
>
> That's a mighty big assumption....What is your IP address? Ah
> pool-71-240-224-184.fred.east.verizon.net..nevermind.

The field of network intrusion detection is full of assumptions. If you
were compromised, you would probably start seeing other more meaningful
signs. Most people would go crazy if they panicked and investigated every
time they were scanned with nmap, and they would have little time and energy
left over to investigate the real intrusion they overlooked.

Imhotep
07-09-2005, 11:52 PM
Karl Levinson [x y] mvp wrote:

>
> "Imhotep" <NoSpam@nothanks.net> wrote in message
> news:BfEke.150$_36.22@fed1read03...
>
>> A firewall will only help in the case that you do not need/allow any
>> incoming connects (ports). In the case that you *do* need incoming ports
> it
>> will not help out much (from hiding your OS type, etc)
>
> Which most home users don't. Even if you need to open one or two ports, I
> believe nmap needs a few more than that to be open to do an active
> fingerprint scan, at least some of which must be UDP ports. Most users
> very rarely need to open udp ports inbound.

Not true anymore. A lot of home users are opening up incoming ports. Some
for video confrencing software requires it, other homes users are also
using VNC to connect to their machines remotely etc, etc...

As for the number of ports needed, it can be as little as one!

>> > Note that hiding your OS from such a scan does very little to help your
>> > security. Most attackers don't bother to check before they attack.
>>
>> Not true. This, OS finger printing, is good during the reconnaissance
> phase
>> of hacking/cracking...ie know your enemy before engaging your enemy.
>
> You've been reading too much "hacking exposed" books.

Ahhhhh no.

> Most home users are
> not likely to encounter an attacker that bothers to enumerate the OS, and
> a skilled attacker would probably not be using such a noisy and easy to
> detect
> scan as nmap's active OS fingerprinting. If you keep your system at least
> reasonably secure, you have nothing to worry about from fingerprinting.

OS enumeration is a lot less "noisy" then a full out scan. For example, I do
a slow and drawn out OS scan on you. I see that you are using XP pre SP2.
That tells me a lot right there...and to boot, I did it without creating a
lot of "noise". If used right, OS finger printing is a nice addition to the
reconnaissance phase...

>> > An attacker on or near your local network may be able to guess your OS
>> > passively just by sniffing your network traffic, but again a firewall
>> > could
>> > help here.
>>
>> If your local LAN is a switched environment then this is not true. In a
>> switched LAN environment they will only see you broadcasts (typically ARP
>> requests) and your multicasts (if you use anything that uses multicasts
>> that is). For someone to passively "hear" you communications they need:
>
> Don't rely on switches for security, they are not secure.

I did not say, I relied on switches for security...I said, just the
opposite. If you gain access to a switch, it is trivial to port mirror
someone and hence sniff everything they are doing (sending/receiving).

> It is trivial
> to sniff on a switch using free software, and I would still consider that
> "passive" sniffing, as no scan packets necessarily need to be directed at
> the target host.

This is where I disagree with you. A switch will *not* allow you to hear
someone else's unicast packets. All you will hear is someelse's broadcasts
(99% ARPs) and multicasts (if infact you have any). But, understand what I
am saying, if you sniff on your port, you will not "hear" my unicast (95%
of the packets I generate/recieve) even if I am sitting in the cube next to
you. That is *not* how a switch works!

The real danger in a switched environment comes from ARP poisoning. That is
how you screw with someone on a LAN. But again, packet sniffing on a switch
is useless...(unless you use port mirroring but, again, you need to have
access (login passwords) to the switch)


>> True. Some browsers allow you to configure what it sends out. KDE's
>> Konqueror is one. *YOU* tell it what it is allowed to tell web servers.
>> Pretty cool.
>
> Agreed, it is a nice feature. Pretty much all browsers let you change the
> user-agent string, including IE 6 [programmed some 6 years ago] and
> Firefox.

Are you sure Firefox and IE can do this. I just checked my firefox and I did
not see the option and I do not use IE....the only browser I personally
know of that can do this is KDE...

>> > I would probably ignore such probes, since they are probably not
>> > skilled attackers.
>>
>> That's a mighty big assumption....What is your IP address? Ah
>> pool-71-240-224-184.fred.east.verizon.net..nevermind.
>
> The field of network intrusion detection is full of assumptions. If you
> were compromised, you would probably start seeing other more meaningful
> signs. Most people would go crazy if they panicked and investigated every
> time they were scanned with nmap, and they would have little time and
> energy left over to investigate the real intrusion they overlooked.

This is true, but when you have been doing security work for sometime you
definitely know what to look out for and what can be safely ignored.
However, I am not advocating ignorance. Security is something that every
user should have, at least, a basic understanding of....


-Im

Karl Levinson, mvp
07-09-2005, 11:52 PM
"Imhotep" <NoSpam@nothanks.net> wrote in message
news:dPUke.22793$wq.8213@fed1read06...

> This is where I disagree with you. A switch will *not* allow you to hear
> someone else's unicast packets. All you will hear is someelse's broadcasts
> (99% ARPs) and multicasts (if infact you have any). But, understand what I
> am saying, if you sniff on your port, you will not "hear" my unicast (95%
> of the packets I generate/recieve) even if I am sitting in the cube next
to
> you. That is *not* how a switch works!
>
> The real danger in a switched environment comes from ARP poisoning. That
is
> how you screw with someone on a LAN. But again, packet sniffing on a
switch
> is useless...(unless you use port mirroring but, again, you need to have
> access (login passwords) to the switch)

The shijack tool for example lets you easily sniff unicast packets on a
switch via arp spoofing / poisoning, I've participated in a live
demonstration of this. You're also right that an attacker can often
reconfigure a switch or, I've heard, flood some switches with arp packets to
force it into hub mode.

> > Agreed, it is a nice feature. Pretty much all browsers let you change
the
> > user-agent string, including IE 6 [programmed some 6 years ago] and
> > Firefox.
>
> Are you sure Firefox and IE can do this. I just checked my firefox and I
did
> not see the option and I do not use IE....the only browser I personally
> know of that can do this is KDE...

Yeah, it's unfortunately not configured via the GUI. It's located in the
registry for IE and in a text config file in the Windows user profile for
Firefox. I've configured both in this manner and sniffed the traffic to
confirm the change. Google should have further details on this.


[OSFP] a solution against 'xprobe2' and 'nmap -O' ??