Re: [OSFP] a solution against 'xprobe2' and 'nmap -O' ??
From: Imhotep (NoSpam_at_nothanks.net)
Date: 05/25/05
- Next message: Valery Pryamikov: "Re: Hash of Public key"
- Previous message: Karl Levinson [x y] mvp: "Re: [OSFP] a solution against 'xprobe2' and 'nmap -O' ??"
- In reply to: Karl Levinson [x y] mvp: "Re: [OSFP] a solution against 'xprobe2' and 'nmap -O' ??"
- Next in thread: Karl Levinson, mvp: "Re: [OSFP] a solution against 'xprobe2' and 'nmap -O' ??"
- Reply: Karl Levinson, mvp: "Re: [OSFP] a solution against 'xprobe2' and 'nmap -O' ??"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 24 May 2005 23:23:14 -0700
Karl Levinson [x y] mvp wrote:
>
> "Imhotep" <NoSpam@nothanks.net> wrote in message
> news:BfEke.150$_36.22@fed1read03...
>
>> A firewall will only help in the case that you do not need/allow any
>> incoming connects (ports). In the case that you *do* need incoming ports
> it
>> will not help out much (from hiding your OS type, etc)
>
> Which most home users don't. Even if you need to open one or two ports, I
> believe nmap needs a few more than that to be open to do an active
> fingerprint scan, at least some of which must be UDP ports. Most users
> very rarely need to open udp ports inbound.
Not true anymore. A lot of home users are opening up incoming ports. Some
for video confrencing software requires it, other homes users are also
using VNC to connect to their machines remotely etc, etc...
As for the number of ports needed, it can be as little as one!
>> > Note that hiding your OS from such a scan does very little to help your
>> > security. Most attackers don't bother to check before they attack.
>>
>> Not true. This, OS finger printing, is good during the reconnaissance
> phase
>> of hacking/cracking...ie know your enemy before engaging your enemy.
>
> You've been reading too much "hacking exposed" books.
Ahhhhh no.
> Most home users are
> not likely to encounter an attacker that bothers to enumerate the OS, and
> a skilled attacker would probably not be using such a noisy and easy to
> detect
> scan as nmap's active OS fingerprinting. If you keep your system at least
> reasonably secure, you have nothing to worry about from fingerprinting.
OS enumeration is a lot less "noisy" then a full out scan. For example, I do
a slow and drawn out OS scan on you. I see that you are using XP pre SP2.
That tells me a lot right there...and to boot, I did it without creating a
lot of "noise". If used right, OS finger printing is a nice addition to the
reconnaissance phase...
>> > An attacker on or near your local network may be able to guess your OS
>> > passively just by sniffing your network traffic, but again a firewall
>> > could
>> > help here.
>>
>> If your local LAN is a switched environment then this is not true. In a
>> switched LAN environment they will only see you broadcasts (typically ARP
>> requests) and your multicasts (if you use anything that uses multicasts
>> that is). For someone to passively "hear" you communications they need:
>
> Don't rely on switches for security, they are not secure.
I did not say, I relied on switches for security...I said, just the
opposite. If you gain access to a switch, it is trivial to port mirror
someone and hence sniff everything they are doing (sending/receiving).
> It is trivial
> to sniff on a switch using free software, and I would still consider that
> "passive" sniffing, as no scan packets necessarily need to be directed at
> the target host.
This is where I disagree with you. A switch will *not* allow you to hear
someone else's unicast packets. All you will hear is someelse's broadcasts
(99% ARPs) and multicasts (if infact you have any). But, understand what I
am saying, if you sniff on your port, you will not "hear" my unicast (95%
of the packets I generate/recieve) even if I am sitting in the cube next to
you. That is *not* how a switch works!
The real danger in a switched environment comes from ARP poisoning. That is
how you screw with someone on a LAN. But again, packet sniffing on a switch
is useless...(unless you use port mirroring but, again, you need to have
access (login passwords) to the switch)
>> True. Some browsers allow you to configure what it sends out. KDE's
>> Konqueror is one. *YOU* tell it what it is allowed to tell web servers.
>> Pretty cool.
>
> Agreed, it is a nice feature. Pretty much all browsers let you change the
> user-agent string, including IE 6 [programmed some 6 years ago] and
> Firefox.
Are you sure Firefox and IE can do this. I just checked my firefox and I did
not see the option and I do not use IE....the only browser I personally
know of that can do this is KDE...
>> > I would probably ignore such probes, since they are probably not
>> > skilled attackers.
>>
>> That's a mighty big assumption....What is your IP address? Ah
>> pool-71-240-224-184.fred.east.verizon.net..nevermind.
>
> The field of network intrusion detection is full of assumptions. If you
> were compromised, you would probably start seeing other more meaningful
> signs. Most people would go crazy if they panicked and investigated every
> time they were scanned with nmap, and they would have little time and
> energy left over to investigate the real intrusion they overlooked.
This is true, but when you have been doing security work for sometime you
definitely know what to look out for and what can be safely ignored.
However, I am not advocating ignorance. Security is something that every
user should have, at least, a basic understanding of....
-Im
- Next message: Valery Pryamikov: "Re: Hash of Public key"
- Previous message: Karl Levinson [x y] mvp: "Re: [OSFP] a solution against 'xprobe2' and 'nmap -O' ??"
- In reply to: Karl Levinson [x y] mvp: "Re: [OSFP] a solution against 'xprobe2' and 'nmap -O' ??"
- Next in thread: Karl Levinson, mvp: "Re: [OSFP] a solution against 'xprobe2' and 'nmap -O' ??"
- Reply: Karl Levinson, mvp: "Re: [OSFP] a solution against 'xprobe2' and 'nmap -O' ??"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
