Nmap Announce mailing list archives

Re: OS Detection Question

From: Saint skullY the Dazed <skully () straw drpepper org>
Date: Thu, 4 May 2000 18:22:25 +0000

On Thu, May 04, 2000 at 01:26:25PM -0700, Todd Smith wrote:

I only partially agree. Suppose you're running linux alpha, you're running
apache 1.3.12, bind 8.2.2-5 (or newest rev), protftpd 1.2.0pre10,
ssh-2.0.13 from datafellows and so forth. None of which are known to have
remote buffer overflows. Suppose, a buffer overflow does exist in which
you can overwrite that buffer leaving it in a state able to execute
code. When you send your code shell code may it be, for an x86 linux
system, it's not going to work on the alpha. How is it exactly, that
you're going to figure out that this system is actually an alpha
architecture, when using somthing that can actually reply with finger
prints matching a different os?


So when my x86 shellcode doesn't work, I as the attacker am going to go
on one of two hunches. Either:

1. They've patched the daemon already.

or

2. It's not an x86 box.

Yes, a lot of people are going to assume #1. However, the people who assume
#2 are then going to come up with a list of the most likely archetectures
it could be. Chances are, Alpha is going to be their very next choice. 
Furthermore, shellcode is a bitch to write. If I've taken the time to write
shellcode for one archetecture, chances are I'm going to rewrite it for
other archetectures as well.

The reason that I'm so opposed to masking the OS type is that it's just
a security blanket. It provides no real protection. Hence why your time
is much better served actually securing the box. Then again, I tend not 
to be so paranoid about things myself, because I know my boxes are as
secure as I can make them. Hell, I (and the company I work for) still
include HINFO, TXT, and WKS lines for machines under my control. Do a 
host -al napkin.net. No need to even portscan any of my machines. I
tell you what's open. You can even finger skully () drpepper org if you
like.

For a good example of a machine that doesn't do any masking, but you'll
find nearly impossible to break into, fondle darkstar.frop.org. Again,
we have the WKS and the HINFO DNS records entered, so you don't have to
do any work to get the information on the box. However, good luck trying
to get into the machine. 

I realize that in any environment where source flows freely, there are 
going to be patches that provide little more than a security blanket.
However, I'd like to see those get used as one of the last things done
to secure a machine, not the first.

-skullY

Current thread:

OS Detection Question John Turner (May 03)
- Re: OS Detection Question Fyodor (May 03)
- Re: OS Detection Question Bruno Morisson (May 03)
- Re: OS Detection Question Saint skullY the Dazed (May 03)
  - Re: OS Detection Question Marco Belmonte (May 04)
  - Re: OS Detection Question Mr. Man (May 04)
    - Re: OS Detection Question Cameron Palmer (May 05)
    - Re: OS Detection Question Mr. Man (May 05)
    - Re: OS Detection Question Fyodor (May 07)
    - Re: Nmap vs DTK ? Nicodimus (May 11)
  - Message not available
    - Re: OS Detection Question Saint skullY the Dazed (May 04)
    - Re: OS Detection Question Brian Kifiak (May 04)
- Re: OS Detection Question Mr. Man (May 03)
- Re: OS Detection Question Max (May 04)
- <Possible follow-ups>
- Re: OS Detection Question Nelson (May 04)