A practical approach for defeating Nmap OS-Fingerprinting

    Date20 Feb 2004
    Posted ByAnthony Pell
    Sure, this is security-through-obscurity, but that's not a bad thing unless you're depending on it. As yet another additional layer to your security model, though, it is definately a worthy contendor. After all, knowing the OS you are running gives a black-hat a lot to work with. Even if you do not successfully spoof a different operating system, its a clear gain to smudge your own fingerprint. . . . In my opinion, it's pretty clear that we can't rely on only one security tool to remotely guess the Operating System. This paper has shown that it's very easy to fool Nmap (and other similar tools) when trying to profile a remote device, and that all those attempts can be properly logged by the remote administrator. To successfully remotely fingerprint an OS, all possible methods have to be gathered, starting with the simpler ones (banner grabbing, seeking for job posts, social engineering, ...) to the more complex ones (network fingerprinting). Every open service in a remote device has to be properly analyzed (banner, responses, behavior against attacks, DoS, known errors) and documented. It could be even possible (although not ethical) to run some tools that are known to crash specific OS versions (nuke, land, teardrop, ...) to clarify our guess.

    Although all these solutions can be modified to detect and fool any other TCP/IP fingerprint tool (just knowing which packets are sent), it is highly recommended to use various tools when doing a remote OS Fingerprint. Nmap is perhaps the most widely used, but there is another tool that also works great: Xprobe. Xprobe also has got a signatures database (not updated very often), and the final guess it's a probabilistic guess (fuzzy matching) depending on various answers. One of xprobe's biggest problem is that it's rarely updated and it includes very few signatures. Nmap detects the remote OS if its tests' result is exactly equal to that OS signature in the database, but you can run Nmap with the switch ( --osscan_guess or --fuzzy, and then it performs a more aggressive OS guess trying to find the best match available in its signatures database. There is a paper about Xprobe specification and usage where explains why its idea and implementation seems to be so good and so valid. I think it should be executed as a partner with Nmap, in case you can send both TCP and ICMP packets against the target host. Xprobe could be an effective tool in poorly secured networks, just because it sends ICMP timestamps and ICMP netmask requests, which can become suspicious for a network administrator. It does not sent bogus packets (uncommon TCP packets, since the reserved bits are rarely used) to detect the remote OS, it simply sends 'normal' traffic (ICMP) to the target host, making harder (if not impossible) to detect such packets (and therefore, act accordingly). This approach was first used in sing (Send Internet Nasty Garbage), which can be executed with the -O switch for doing OS Fingerprint (with the ICMP type you choose). It should be difficult to any IDS or network implementation to detect that those ICMP packets have other function, just because there are a huge number of those ICMP packets daily in our networks. On the other hand, ICMP now is getting blocked by default from almost every network environment, making impossible to do an ICMP OS remote fingerprint, but usually you can find some TCP services in those network environments and shoot your Nmap packets.

    Just for being accurate, there is also another OS Fingerprint tool, named p0f; p0f listens to your network looking for the first SYN in a TCP connection and grabs that packet options. If it matches with its signature database, then we can guess the OS; again, changing any of the options that p0f is looking for, will completely fool it. If, for instance, using IP Personality, we change every packet's window size, we can fake our responses and fool p0f.

    Administrators should also carefully configure all their devices for not showing anything that can be used for identified them (banners, issue, common services open by default, ...) and run one of these tools that can log the OS Fingerprint attempts, because it's very likely that, those ip addresses wanting to know your OS, will be attacking your network in a short period of time. Besides, setting up a linux router using IP Personality and fooling everyone outside your network that you're using a different OS (with any of the options shown in this paper), could be a good security measure.

    You are not authorised to post comments.

    LinuxSecurity Poll

    Has your email account ever been pwned in a data breach?

    No answer selected. Please try again.
    Please select either existing option or enter your own, however not both.
    Please select minimum 0 answer(s) and maximum 2 answer(s).

    We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy.