Nmap Announce mailing list archives
Re: OS Detection Question
From: Nelson <stderr () unreal sekure org>
Date: Thu, 4 May 2000 10:58:47 -0300 (BRT)
For Linux, get the patch. On Windows NT try filters: Network Neighbordhood -> Protocols -> TCP/IP -> Properties -> IP Address -> Advanced -> Enable Security -> Configure -> bla bla bla... I've made a registry script to do this: ----filter.reg [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters] "EnableSecurityFilters"=dword:00000001 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\<NIC-NAME>\Parameters\Tcpip] "TCPAllowedPorts"=hex(7):38,30,00,00 ; http(80) "UDPAllowedPorts"=hex(7):35,32,30,00,00 ; rip(520) "RawIPAllowedProtocols"=hex(7):36,00,31,37,00,00 ; tcp(6) and udp(17) [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\<NIC-NAME>\Parameters\Tcpip] "TCPAllowedPorts"=hex(7):38,30,00,00 ; http(80) "UDPAllowedPorts"=hex(7):35,32,30,00,00 ; rip(520) "RawIPAllowedProtocols"=hex(7):36,00,31,37,00,00 ; tcp(6) and udp(17) ----filter.reg Did you get it? 38,30 == 80 == http 35,32,30 == 520 == rip 36 == 6 == tcp 31,37 == 17 == udp 00,00 == NULL == end 00 == SPACE == and To know what is the NIC-NAME, search in: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkCards] I works for me. Look: Before Filters: rewt:~# nmap -v -sT -O 172.17.1.1 Starting nmap V. 2.30BETA17 by fyodor () insecure org ( www.insecure.org/nmap/ ) Host (172.17.1.1) appears to be up ... good. Initiating TCP connect() scan against (172.17.1.1) Adding TCP port 139 (state Open). Adding TCP port 135 (state Open). The TCP connect scan took 44 seconds to scan 1517 ports. For OSScan assuming that port 135 is open and port 422 is closed and neither are firewalled For OSScan assuming that port 135 is open and port 422 is closed and neither are firewalled For OSScan assuming that port 135 is open and port 422 is closed and neither are firewalled WARNING: OS didn't match until the 3 try Interesting ports on (172.17.1.1): Port State Service 135/tcp open loc-srv 139/tcp open netbios-ssn TCP Sequence Prediction: Class=random positive increments Difficulty=10214 (Worthy challenge) Sequence numbers: 82159285 821671B0 8216F2F9 8217B423 82187D56 82197619 Remote operating system guess: Microsoft NT 4.0 Server SP5 + 2047 Hotfixes Nmap run completed -- 1 IP address (1 host up) scanned in 69 seconds rewt:~# After filters: rewt:~# nmap -v -sU -O 172.17.1.1 -p 520 Starting nmap V. 2.30BETA17 by fyodor () insecure org ( www.insecure.org/nmap/ ) Host (172.17.1.1) appears to be up ... good. Initiating FIN,NULL, UDP, or Xmas stealth scan against (172.17.1.1) The UDP or stealth FIN/NULL/XMAS scan took 0 seconds to scan 1 ports. Interesting ports on (172.17.1.1): Port State Service 520/udp open route Too many fingerprints match this host for me to give an accurate OS guess TCP/IP fingerprint: T5(Resp=Y%DF=N%W=0%ACK=S++%Flags=AR%Ops=) T5(Resp=N) T6(Resp=N) T7(Resp=N) T7(Resp=Y%DF=N%W=0%ACK=S++%Flags=AR%Ops=) PU(Resp=N) Nmap run completed -- 1 IP address (1 host up) scanned in 18 seconds rewt:~# PS: Sorry about my poor English. =P Sem mais, -- /* Nelson Brito - Sekure SDI * * http://stderr.sekure.org/ */ On Wed, 3 May 2000, John Turner wrote:
I have searched the net looking for a definitive answer to this question but have come up dry. QUESTION: Is there a way to completely fool (or block) OS detection from scanners (like nmap, queso, etc.) using the Linux OS? What about Windoze? Any insight would be greatly appreciated. Regards, John
Current thread:
- Re: OS Detection Question, (continued)
- Re: OS Detection Question Marco Belmonte (May 04)
- Re: OS Detection Question Mr. Man (May 04)
- Re: OS Detection Question Cameron Palmer (May 05)
- Re: OS Detection Question Mr. Man (May 05)
- Re: OS Detection Question Fyodor (May 07)
- Re: Nmap vs DTK ? Nicodimus (May 11)
- Re: OS Detection Question Saint skullY the Dazed (May 04)
- Re: OS Detection Question Brian Kifiak (May 04)