Nmap Announce mailing list archives
Re: OS Detection Question
From: Saint skullY the Dazed <skully () straw drpepper org>
Date: Thu, 4 May 2000 18:22:25 +0000
On Thu, May 04, 2000 at 01:26:25PM -0700, Todd Smith wrote:
I only partially agree. Suppose you're running linux alpha, you're running apache 1.3.12, bind 8.2.2-5 (or newest rev), protftpd 1.2.0pre10, ssh-2.0.13 from datafellows and so forth. None of which are known to have remote buffer overflows. Suppose, a buffer overflow does exist in which you can overwrite that buffer leaving it in a state able to execute code. When you send your code shell code may it be, for an x86 linux system, it's not going to work on the alpha. How is it exactly, that you're going to figure out that this system is actually an alpha architecture, when using somthing that can actually reply with finger prints matching a different os?
So when my x86 shellcode doesn't work, I as the attacker am going to go on one of two hunches. Either: 1. They've patched the daemon already. or 2. It's not an x86 box. Yes, a lot of people are going to assume #1. However, the people who assume #2 are then going to come up with a list of the most likely archetectures it could be. Chances are, Alpha is going to be their very next choice. Furthermore, shellcode is a bitch to write. If I've taken the time to write shellcode for one archetecture, chances are I'm going to rewrite it for other archetectures as well. The reason that I'm so opposed to masking the OS type is that it's just a security blanket. It provides no real protection. Hence why your time is much better served actually securing the box. Then again, I tend not to be so paranoid about things myself, because I know my boxes are as secure as I can make them. Hell, I (and the company I work for) still include HINFO, TXT, and WKS lines for machines under my control. Do a host -al napkin.net. No need to even portscan any of my machines. I tell you what's open. You can even finger skully () drpepper org if you like. For a good example of a machine that doesn't do any masking, but you'll find nearly impossible to break into, fondle darkstar.frop.org. Again, we have the WKS and the HINFO DNS records entered, so you don't have to do any work to get the information on the box. However, good luck trying to get into the machine. I realize that in any environment where source flows freely, there are going to be patches that provide little more than a security blanket. However, I'd like to see those get used as one of the last things done to secure a machine, not the first. -skullY
Current thread:
- OS Detection Question John Turner (May 03)
- Re: OS Detection Question Fyodor (May 03)
- Re: OS Detection Question Bruno Morisson (May 03)
- Re: OS Detection Question Saint skullY the Dazed (May 03)
- Re: OS Detection Question Marco Belmonte (May 04)
- Re: OS Detection Question Mr. Man (May 04)
- Re: OS Detection Question Cameron Palmer (May 05)
- Re: OS Detection Question Mr. Man (May 05)
- Re: OS Detection Question Fyodor (May 07)
- Re: Nmap vs DTK ? Nicodimus (May 11)
- Re: OS Detection Question Saint skullY the Dazed (May 04)
- Re: OS Detection Question Brian Kifiak (May 04)
- <Possible follow-ups>
- Re: OS Detection Question Nelson (May 04)