Re: OS Detection Question

[Nelson <stderr () unreal sekure org>]

For Linux, get the patch.

On Windows NT try filters:
Network Neighbordhood -> Protocols -> TCP/IP -> Properties -> IP Address
-> Advanced -> Enable Security -> Configure -> bla bla bla...

I've made a registry script to do this:
----filter.reg
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters]
"EnableSecurityFilters"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\<NIC-NAME>\Parameters\Tcpip]
"TCPAllowedPorts"=hex(7):38,30,00,00                    ; http(80)
"UDPAllowedPorts"=hex(7):35,32,30,00,00                 ; rip(520)
"RawIPAllowedProtocols"=hex(7):36,00,31,37,00,00        ; tcp(6) and udp(17)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\<NIC-NAME>\Parameters\Tcpip]
"TCPAllowedPorts"=hex(7):38,30,00,00                    ; http(80)
"UDPAllowedPorts"=hex(7):35,32,30,00,00                 ; rip(520)
"RawIPAllowedProtocols"=hex(7):36,00,31,37,00,00        ; tcp(6) and udp(17)
----filter.reg

Did you get it? 
38,30    == 80    == http
35,32,30 == 520   == rip
36       == 6     == tcp
31,37    == 17    == udp
00,00    == NULL  == end
00       == SPACE == and

To know what is the NIC-NAME, search in:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkCards]

I works for me. Look:
Before Filters:
rewt:~# nmap -v -sT -O 172.17.1.1

Starting nmap V. 2.30BETA17 by fyodor () insecure org ( www.insecure.org/nmap/ )
Host  (172.17.1.1) appears to be up ... good.
Initiating TCP connect() scan against  (172.17.1.1)
Adding TCP port 139 (state Open).
Adding TCP port 135 (state Open).
The TCP connect scan took 44 seconds to scan 1517 ports.
For OSScan assuming that port 135 is open and port 422 is closed and neither are firewalled
For OSScan assuming that port 135 is open and port 422 is closed and neither are firewalled
For OSScan assuming that port 135 is open and port 422 is closed and neither are firewalled
WARNING: OS didn't match until the 3 try
Interesting ports on  (172.17.1.1):
Port       State       Service
135/tcp    open        loc-srv                 
139/tcp    open        netbios-ssn             

TCP Sequence Prediction: Class=random positive increments
                         Difficulty=10214 (Worthy challenge)

Sequence numbers: 82159285 821671B0 8216F2F9 8217B423 82187D56 82197619
Remote operating system guess: Microsoft NT 4.0 Server SP5 + 2047 Hotfixes

Nmap run completed -- 1 IP address (1 host up) scanned in 69 seconds
rewt:~# 

After filters:
rewt:~# nmap -v -sU -O 172.17.1.1 -p 520

Starting nmap V. 2.30BETA17 by fyodor () insecure org (
www.insecure.org/nmap/ )
Host  (172.17.1.1) appears to be up ... good.
Initiating FIN,NULL, UDP, or Xmas stealth scan against  (172.17.1.1)
The UDP or stealth FIN/NULL/XMAS scan took 0 seconds to scan 1 ports.
Interesting ports on  (172.17.1.1):
Port       State       Service
520/udp    open        route                   

Too many fingerprints match this host for me to give an accurate OS guess
TCP/IP fingerprint:
T5(Resp=Y%DF=N%W=0%ACK=S++%Flags=AR%Ops=)
T5(Resp=N)
T6(Resp=N)
T7(Resp=N)
T7(Resp=Y%DF=N%W=0%ACK=S++%Flags=AR%Ops=)
PU(Resp=N)


Nmap run completed -- 1 IP address (1 host up) scanned in 18 seconds
rewt:~# 

PS: Sorry about my poor English. =P

Sem mais,
--
/* Nelson Brito - Sekure SDI *
 * http://stderr.sekure.org/ */

On Wed, 3 May 2000, John Turner wrote:

> I have searched the net looking for a definitive answer to this question but have come up dry.
>
> QUESTION:
> Is there a way to completely fool (or block) OS detection from scanners (like nmap, queso, etc.) using the Linux OS? 
> What about Windoze?
>
> Any insight would be greatly appreciated.
>
> Regards,
>
> John