Home page logo

pen-test logo Penetration Testing mailing list archives

Re: Block OS Detection
From: "Robert E. Lee" <robert () outpost24 com>
Date: Wed, 05 Sep 2007 11:22:53 +0200

Jon DeShirley wrote:
Changing default stack values will give you a little bit of protection
from OS fingerprinting, but there are usually other identifiers that
will give your stack away.  Dropping SYN+FIN, altering default TCL TTL
values, changing the default TCP window size, and a few other things
will fool a passive OS fingerprint.  A few of the techniques are
documented here: http://www.zog.net/Docs/nmap.html .

But this is all moot, unless you go through all your service banners
to sanitize them and block all default services (ie: Active Directory,
Linuxconf, or ToolTalk) that would give your platform away.

This type of obfuscation was in vogue for a few years in the late 90's
and early 2000's.  It was commonly believed that an attacker would
follow the same method as a vulnerability assessor to attack a system;
namely port scan, service/system enumeration, attempt to exploit known
problems.  Because of this mistaken belief, vulnerability assessors
started recommending that their customers do things that only slow down
a vulnerability assessor (IPS that blocks port scans, Stack Obfuscation,
Banner Obfuscation, etc).

Unfortunately, this is not how automated attacks work.  In an automated
attack, the attacker simply targets a wide number of systems, attempts
the exploit of choice, and moves on to the next host if it fails.  It
doesn't care what the TCP/IP stack properties say, nor what the banner says.

Lately it has been argued that leaving the banner information intact
helps the administrator more than it hurts.  Having the version
information available allows an admin an easy way to poll his systems to
see which are vulnerable.  Without that ability, the admin is more
likely to leave out of date/vulnerable software running.

If you've changed your TCP/IP stack characteristics, you may actually
make yourself more insecure.  I remember some people started emulating
really old and obscure systems stacks. This emulation actually
reintroduced predictable sequence numbers, making their systems
vulnerable to hijacking.

Obfuscation does not protect your system/service. There is no measurable
benefit in blocking OS Detection or changing banners.


Robert E. Lee
Chief Security Officer
Outpost24 - One Step Ahead

phone: +46-455-61-2320
fax  : +46-455-1-3960
email: robert () outpost24 com

This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]