fooling nmap

Sun Sep 5 12:24:10 PDT 2004

vxp wrote:
> On Sat, 4 Sep 2004, Colin Alston wrote:
>> My point was if it provides no security, then there is no point to it at
>> all.
>
> oh, but it does. it prevents them from gathering accurate information
> about your system. that's an extremely important part of the attack.

 From your perspective, certainly, but you aren't a computer worm or virus.

The overwhelming majority of worms and viruses launch their attacks by 
sweeping ranges of IP space-- generally starting on the local subnet, then 
scanning in a more-or-less random fashion from there.  They don't care what 
your TCP stack looks like to nmap.  They don't care what OS is running at that 
IP address.  Frankly, worms don't even care much whether the TCP or UDP port 
they are trying to use is even open, they'll just move on to the next IP.

>> Most attackers are going to exploit things at a service level
>> anyway. What is the point of changing the fingerprint?
> 
> ok, say your apache is vulnerable to whatever. an exploit for that apache
> under linux is one thing, under freebsd is another, under windows another,
> etc. the 'service level' won't work, if you got the OS wrong.

If your protection depends upon the attacking guessing the OS wrong, you're 
screwed.  The worm which assumes all machines have a cmd.com won't get 
through, you're right, but that doesn't mean that a worm which assumes all 
machines are FreeBSD machines is going to leave your IP alone just because you 
pretend otherwise.

> there's very very few cross-platform vulnerabilities that share the _same_
> exploit code on _all_ platforms. actually, there's not a 'few'. there's
> none.

You're either not looking, or you don't understand what you see.

Google for "Perl vulnerabilities" or "SQL injection".

-- 
-Chuck

PS: Not trying to give you a hard time.  If you think you can make changes to 
src/sys/netinet/tcp_input.c and tcp_output.c which give you OS concealment, 
and make the existing code smaller or better, by all means, I'd be happy to 
take a look at those changes, and recommend them to others.