Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



Nmap Hackers: RE: NMAP Identity obscuring

RE: NMAP Identity obscuring

From: Ofir Arkin <ofir_at_itcon-ltd.com>
Date: Wed, 22 Nov 2000 14:47:55 +0200

Cameron,

I have read the Article in the sysAdmin magazine, unfortunately it is not
enough to fool me :)

The article, for those who do not subscribed to SysAdmin, deals with
changing parameters with
Solaris so NMAP will not detect it. The article suggests changing the PMTU
policy, and harden the sequence
numbers sequencing.

But, there are a lot of other wild ideas we can use that will reveal the
Solaris box.
Changing the most common identification parameters will not hide the other
:)
Sure, it will make the job harder, but not impossible.

Ofir Arkin [ofir_at_itcon-ltd.com]
Senior Security Analyst
Chief of Grey Hats
ITcon, Israel.
http://www.itcon-ltd.com

Founder
http://www.sys-security.com

"Opinions expressed do not necessarily
represent the views of my employer."

-----Original Message-----
From: Cameron Palmer [mailto:cameron_palmer_at_hotmail.com]
Sent: Sunday, November 05, 2000 2:50 AM
To: of_at_securityfocus.com; ofir_at_itcon-ltd.com; lance_at_spitzner.net
Cc: nmap-hackers_at_insecure.org
Subject: NMAP Identity obscuring

I know we have seen the argument before, but the recent SysAdmin magazine
has an article on Solaris security. They recommend changing some NDD
parameters to obscure the identity of Solaris from nmap. They have some
interesting points, which is essentially they aren't looking for that as the
sole form of protection of the machine but merely make Solaris conform to
the RFCs instead of having its own quirks that give away too much
information. I would normally be dissuaded from security by obscurity
arguments, but by taking out the things that make the OS unique and conform
to RFCs you do raise the ante as it were. Additionally I've seeen some
other good OS tuning parameters with NDD that help performance that are a
good idea, like fixing your Quad card to having multiple MAC addresses
instead of the single hostid. Apparently you can gain a 40% speed boost on
a Checkpoint firewall. This came from the Checkpoint web site. They have a
number of recommendations for security related changes.

Any thoughts?

cameron.

From: Oliver Friedrichs <of_at_securityfocus.com>
To: Ofir Arkin <ofir_at_itcon-ltd.com>, Lance Spitzner <lance_at_spitzner.net>
CC: nmap-hackers_at_insecure.org
Subject: RE: firewalk meets nmap - TTL (tested)
Date: Sat, 04 Nov 2000 15:36:23 -0800
MIME-Version: 1.0
Received: from mta1.snfc21.pbi.net (mta1-pr) by sims1.snfc21.pbi.net (Sun
Internet Mail Server sims.3.5.2000.01.05.12.18.p9) with ESMTP id
<0G3I00609XSQ25_at_sims1.snfc21.pbi.net> for palmer74_at_sims-ms-daemon; Sat, 4
Nov 2000 15:41:14 -0800 (PST)
Received: from amy.insecure.org ([208.184.74.98]) by mta1.snfc21.pbi.net
(Sun Internet Mail Server sims.3.5.2000.01.05.12.18.p9) with SMTP id
<0G3I000N7XQ0PL_at_mta1.snfc21.pbi.net> for palmer74_at_sims1.snfc21.pbi.net; Sat,
04 Nov 2000 15:39:37 -0800 (PST)
Received: (qmail 20825 invoked by uid 508); Sat, 04 Nov 2000 23:46:19 +0000
Received: (qmail 20725 invoked from network); Sat, 04 Nov 2000 23:41:28
+0000
Return-path: <nmap-hackers-return-887-palmer74=pacbell.net_at_insecure.org>
Message-id: <10786F3AE30CD4118FAC00A0CC58F9F1015929_at_MAIL>
X-Mailer: Internet Mail Service (5.5.2650.21)
Precedence: bulk
Delivered-to: mailing list nmap-hackers_at_insecure.org
Delivered-to: moderator for nmap-hackers_at_insecure.org
Mailing-List: contact nmap-hackers-help_at_insecure.org; run by ezmlm

>Lance, we should automate this somehow. This is a cool thing.
>But again correct configuration will prevent this from happening.

This is a really neat idea. It should be easy to automate, if you
add in some traceroute functionality to nmap to determine the hop
where packets are being dropped (this would be the firewall), then
you only need to specify an address on the internal network. I think
nmap could use UDP/TCP ACK/ICMP traceroute functionality anyways.
And while your at it, make it parallel, send out 32 packets with
incrementing ttl's at the very start.. none of this 1 hop at a time
slowness.

- Oliver

--------------------------------------------------
For help using this (nmap-hackers) mailing list, send a blank email to
nmap-hackers-help_at_insecure.org . List run by ezmlm-idx (www.ezmlm.org).

_________________________________________________________________________
Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com.

Share information about yourself, create your own public profile at
http://profiles.msn.com.

--------------------------------------------------
For help using this (nmap-hackers) mailing list, send a blank email to
nmap-hackers-help_at_insecure.org . List run by ezmlm-idx (www.ezmlm.org).
Received on Nov 23 2000

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
edgeos