Nmap Announce mailing list archives

Re: OS Detection Question

From: "Mr. Man" <mrman () darkside org>
Date: Thu, 4 May 2000 12:45:02 -0500 (CDT)

On Wed, 3 May 2000, Saint skullY the Dazed wrote:

There are patches to do this. My question is *WHY*. Why do you want to
mask your OS? It will provide you no extra protection. If someone wants
to get into your machine, having the nmap -O show up with a different OS
or not matching an OS is not going to fool them for long. Why not instead
apply your time and effort into actually securing the box, instead of
just obscuring it. Security through obscurity is not an effective security
measure (For long).


While the security through obscurity argument is normally an appropriate
one, it's somewhat bullshit in the context you are using it in here.  I
can think of several reasons why masking information, like the OS on a
machine, wouldn't be a bad part of ones security policy.  I'm sure your
root password is obscured, right?  What about your firewall policies?
What about the accounts on your machines?  Obscurity does have a place in
security, even if more work by an attacker would provide the information
needed.  If you increase the amount of work an intruder has to go through
before he knows for sure what he's up against, you increase the amount of
time it takes for him to gather information, and possibly even have a
better chance of catching him before he does anything if he triggers a few
alarms in his/her gathering process.

Maybe Mr. Turner is asking because of a firewall that will have no ports
open to the outside.  Masking/blocking OS detection/fingerprinting would
make it very hard for an intruder to figure out what type of firewall it
was, and would mean he/she'd have to try every trick in the book to get
past it instead of saying "Ok, this is a Linux firewall running IPChains
and I can get past it by doing this..."   

It's when obscurity (like your password hash being a simple XOR
instead of something more secure like MD5, blowfish, etc.) is your only
form of security that it's a Bad Thing(tm).

And the answer to '*WHY*' is the same reasons we hackers do what we do...
We do it because we can, and someone told us it either can't be done or
isn't a good idea.

At the very least, close all ports you're not using, check to see if anything
you are running has any known vunerabilities, and possibly even stick a
firewall box between the machine and the hostile network.

-skullY

__
joseph

Current thread:

OS Detection Question John Turner (May 03)
- Re: OS Detection Question Fyodor (May 03)
- Re: OS Detection Question Bruno Morisson (May 03)
- Re: OS Detection Question Saint skullY the Dazed (May 03)
  - Re: OS Detection Question Marco Belmonte (May 04)
  - Re: OS Detection Question Mr. Man (May 04)
    - Re: OS Detection Question Cameron Palmer (May 05)
    - Re: OS Detection Question Mr. Man (May 05)
    - Re: OS Detection Question Fyodor (May 07)
    - Re: Nmap vs DTK ? Nicodimus (May 11)
  - Message not available
    - Re: OS Detection Question Saint skullY the Dazed (May 04)
    - Re: OS Detection Question Brian Kifiak (May 04)
- Re: OS Detection Question Mr. Man (May 03)
- Re: OS Detection Question Max (May 04)
- <Possible follow-ups>
- Re: OS Detection Question Nelson (May 04)