Re: [OSFP] a solution against 'xprobe2' and 'nmap -O' ??

From: jayjwa (jayjwa_at_nowhere.org)
Date: 05/24/05 

Date: Tue, 24 May 2005 05:42:41 -0000

On 2005-05-23, Amine Elleuch wrote:

> I'm looking for a solution that can make impossible to a hacker to get
> the OS version of my servers by FringerPrinting (using for example 'nmap
> -O' or 'xprobe2').

It's not so much the OS version they are after, but the versions of the
applications that sit listening on various ports. Who cares if it's running
Fedora Core something-or-another, if it's running Proftpd 1.2.9 or an older
b0rked version of Openssl is advertising itself in everything it's linked
against?

> IP personnality for Linux, anyone who tested it ? There is some tools
> for windows ?

If you're worried about scans as a whole, the netfilter patch-o-matic has some
cool features you may want to look into, but it requires patching your kernel
and recompiling to get the additional iptables kmods. However, it's painless
and I've since made it a part of my default setup. Here's the ones I've loaded
now on the gateway:

psd
unclean
state
rpc
multiport
limit
iprange
comment
tcp
udp
icmp
 
You might be able to use 'psd', a portscan match module to flag & drop scan
packets. nmap I think is easier to catch, because I find that sometimes my
nmap probes will get dropped, but so far xprobe2 has been going thru
untouched, at least on the places I've used it.

For Windows? I don't think they have such cool toys ;)
Anyways, the large number of default open ports on a Windows box almost always
gives it away: 1024-27, 445, 5000, etc... 

-- 
1 Copy M$ Windows XP...$200; 1 Anti-virus ...$80; 2 Third-
party firewalls....$220; 1 Visa Credit Stolen from Win XP
machine when hacked.....$50,000; 2 Anti-Spywares...$160;
Never worrying about this crap because I use Linux..Priceless

Relevant Pages

  • Re: "Network" icon
    ... To close a number of ports, GRC suggests to use the Network icon and re-configure bindings to a certain indicted form. ... There seems to be no control of Server Types, no way to uncheck "i want to enable NetBIOS over TCP/IP" on any and all protocol lines, no way to install NetBEUI, and no way to change/set hardware adaptor bindings. ... 1- The information on the GRC page is severely out of date, it was written pre Windows 2000, it makes absolutely no mention at all of any operating systems post 1998. ...
    (microsoft.public.win2000.general)
  • Re: Strange ports open
    ... but both NetBIOS / Windows networking and Exchange open ... I recommend keeping a log of the ports found open ... Administration Tools [Server Manager, User Manager, Event Viewer, Registry ...
    (microsoft.public.security)
  • Re: New/old Trojan?
    ... > looking on google ... anything on Windows systems, ... Sounds like this malware may have rootkit-like ... ports can be useless. ...
    (Incidents)
  • Re: DCOM 10009 errors on SBS2008 with NAS
    ... make a specific GP rule that allows the ports to that NAS unit. ... The DCOM event id 10009 will occur when a client workstation has a miss-configured firewall or other issues affecting its network communications within the domain, for example if the workstation is not managed by an SBS GPO. ... Depending on your firewall solution this might be implemented or might require opening several ports. ... If the workstation is on a different subnet than the SBS server and it is running Windows XP SP2 or higher, the firewall exceptions provided by the SBS group policies will not properly allow the required connectivity. ...
    (microsoft.public.windows.server.sbs)
  • Re: [fw-wiz] how prevelant
    ... over the same few ports), and the tendency of script kiddies to run ... Windows attack tools, I tend to suggest that if you open your firewall up ... > it amazing they were passing domain information across the internet. ...
    (Firewall-Wizards)