Penetration Testing mailing list archives
Re: Block OS Detection
From: "Robert E. Lee" <robert () outpost24 com>
Date: Wed, 05 Sep 2007 11:22:53 +0200
Jon DeShirley wrote:
Changing default stack values will give you a little bit of protection from OS fingerprinting, but there are usually other identifiers that will give your stack away. Dropping SYN+FIN, altering default TCL TTL values, changing the default TCP window size, and a few other things will fool a passive OS fingerprint. A few of the techniques are documented here: http://www.zog.net/Docs/nmap.html . But this is all moot, unless you go through all your service banners to sanitize them and block all default services (ie: Active Directory, Linuxconf, or ToolTalk) that would give your platform away.
This type of obfuscation was in vogue for a few years in the late 90's and early 2000's. It was commonly believed that an attacker would follow the same method as a vulnerability assessor to attack a system; namely port scan, service/system enumeration, attempt to exploit known problems. Because of this mistaken belief, vulnerability assessors started recommending that their customers do things that only slow down a vulnerability assessor (IPS that blocks port scans, Stack Obfuscation, Banner Obfuscation, etc). Unfortunately, this is not how automated attacks work. In an automated attack, the attacker simply targets a wide number of systems, attempts the exploit of choice, and moves on to the next host if it fails. It doesn't care what the TCP/IP stack properties say, nor what the banner says. Lately it has been argued that leaving the banner information intact helps the administrator more than it hurts. Having the version information available allows an admin an easy way to poll his systems to see which are vulnerable. Without that ability, the admin is more likely to leave out of date/vulnerable software running. If you've changed your TCP/IP stack characteristics, you may actually make yourself more insecure. I remember some people started emulating really old and obscure systems stacks. This emulation actually reintroduced predictable sequence numbers, making their systems vulnerable to hijacking. Obfuscation does not protect your system/service. There is no measurable benefit in blocking OS Detection or changing banners. Robert -- Robert E. Lee Chief Security Officer Outpost24 - One Step Ahead http://www.outpost24.com phone: +46-455-61-2320 fax : +46-455-1-3960 email: robert () outpost24 com ------------------------------------------------------------------------ This list is sponsored by: Cenzic Need to secure your web apps NOW? Cenzic finds more, "real" vulnerabilities fast. Click to try it, buy it or download a solution FREE today! http://www.cenzic.com/downloads ------------------------------------------------------------------------
Current thread:
- Re: Block OS Detection Gadi Evron (Sep 01)
- Re: Block OS Detection Jonathan Yu (Sep 01)
- RE: Block OS Detection Ofer Shezaf (Sep 04)
- RE: Block OS Detection Gadi Evron (Sep 04)
- RE: Block OS Detection Gadi Evron (Sep 04)
- RE: Block OS Detection Philippe Bogaerts (Sep 04)
- <Possible follow-ups>
- Re: Block OS Detection Dotzero (Sep 04)
- Block OS Detection Jon DeShirley (Sep 04)
- Re: Block OS Detection Joxean Koret (Sep 04)
- Re: Block OS Detection Robert E. Lee (Sep 05)
- Re: Block OS Detection Gadi Evron (Sep 05)
- Re: Block OS Detection sami seclist (Sep 04)
- RE: Block OS Detection Andrew Court (Sep 04)
- RE: Block OS Detection alan (Sep 04)
- RE: Block OS Detection Strykar (Sep 05)
- Re: Block OS Detection John Brazel (Sep 05)
- RE: Block OS Detection Arafat M. Bique (Sep 05)
- Re: Block OS Detection vtlists (Sep 05)
- RE: Block OS Detection Arafat M. Bique (Sep 05)