-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Paul D. Robertson writes:
>On Sat, 27 May 2000, Russell Ross wrote:
>> I apologize if this is a bit off topic, but is it possible to stop OS's (NT
>> & Solaris) from responding to probes (ISS and Nmap) with their version and
>> patch level?
>Nmap's OS fingerprinting code looks at the IP stack's response to packets
>it sends, so without modifying the IP stack on the host or the packets as
>they traverse a transparent gateway, you're not going to get very far.
>Hopefully the only ports you have exposed are those absolutely necessary
>to the operation of your business and you've done enough dilligence on
>the hosts themselves to be able to sleep most nights.
What I'm mildly surprised about is that the prevalence of IP fingerprinting
tools of nmap and queso hasn't resulted in more code for actively thwarting
such scans. By their very nature the heuristics for such scans tend
be fairly brittle and suceptable to spoofing.
>You should read Fyodor's paper on OS fingerprinting, or the fingerprinting
>section of the nmap documentation to better understand what's going on
>here. The stack's behaviour is how nmap determines the OS, it's not
>like a banner advertisement. Some stacks are easier to fingerprint than
>others, just because they behave differently than the norm.
In addition to `active' fingerprinting (as done by nmap and queso),
remote OS identification can be accomplished by what Lance Spitzner
calls `passive' fingerprinting. See:
http://www.enteract.com/~lspitz/finger.html
...which has links to a couple proof-of-concept tools.
In addition, fans of tinkerware might be interested in a set of NIDS/traffic
analysis widgets I've been working on for awhile. It can be found at:
http://www.meshuggeneh.net/shoki/
...and has widgetry that does both passive fingerprinting and nmap fingerprint
foiling.
- -Steve
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.1 (GNU/Linux)
Comment: For info see http://www.gnupg.org
iD8DBQE5Of4dG3kIaxeRZl8RAsZjAJ9GbF/9zOtT+PFiQsjum6L7AqBjoQCfZ3KE
vZuCeuC17uBcCsjpqF18CO4=
=3j3V
-----END PGP SIGNATURE-----
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
