Change OS fingerprint.

Support for security such as Firewalls and securing linux
Post Reply
hack3rcon
Posts: 757
Joined: 2014/11/24 11:04:37

Change OS fingerprint.

Post by hack3rcon » 2019/01/23 08:48:02

Hello.
How can I change OS fingerprint from scanners like Nmap? For example, Nmap can't detect that I'm running CentOS.

Thank you.

hunter86_bg
Posts: 2019
Joined: 2015/02/17 15:14:33
Location: Bulgaria
Contact:

Re: Change OS fingerprint.

Post by hunter86_bg » 2019/01/23 10:55:48

One of Nmap's best-known features is remote OS detection using TCP/IP stack fingerprinting. Nmap sends a series of TCP and UDP packets to the remote host and examines practically every bit in the responses. After performing dozens of tests such as TCP ISN sampling, TCP options support and ordering, IP ID sampling, and the initial window size check, Nmap compares the results to its nmap-os-db database of more than 2,600 known OS fingerprints and prints out the OS details if there is a match. Each fingerprint includes a freeform textual description of the OS, and a classification which provides the vendor name (e.g. Sun), underlying OS (e.g. Solaris), OS generation (e.g. 10), and device type (general purpose, router, switch, game console, etc). Most fingerprints also have a Common Platform Enumeration (CPE) representation, like cpe:/o:linux:linux_kernel:2.6.
You need to rebuild the TCP/IP stack and compile every security fix manually . Too much effort , just to hide the OS version .

hack3rcon
Posts: 757
Joined: 2014/11/24 11:04:37

Re: Change OS fingerprint.

Post by hack3rcon » 2019/01/23 11:47:07

hunter86_bg wrote:
2019/01/23 10:55:48
One of Nmap's best-known features is remote OS detection using TCP/IP stack fingerprinting. Nmap sends a series of TCP and UDP packets to the remote host and examines practically every bit in the responses. After performing dozens of tests such as TCP ISN sampling, TCP options support and ordering, IP ID sampling, and the initial window size check, Nmap compares the results to its nmap-os-db database of more than 2,600 known OS fingerprints and prints out the OS details if there is a match. Each fingerprint includes a freeform textual description of the OS, and a classification which provides the vendor name (e.g. Sun), underlying OS (e.g. Solaris), OS generation (e.g. 10), and device type (general purpose, router, switch, game console, etc). Most fingerprints also have a Common Platform Enumeration (CPE) representation, like cpe:/o:linux:linux_kernel:2.6.
You need to rebuild the TCP/IP stack and compile every security fix manually . Too much effort , just to hide the OS version .
Can Honeypot programs like "Honeyd" help?

hunter86_bg
Posts: 2019
Joined: 2015/02/17 15:14:33
Location: Bulgaria
Contact:

Re: Change OS fingerprint.

Post by hunter86_bg » 2019/01/23 12:43:34

It might work but don't count on it on 100%.

hack3rcon
Posts: 757
Joined: 2014/11/24 11:04:37

Re: Change OS fingerprint.

Post by hack3rcon » 2019/01/23 13:27:29

hunter86_bg wrote:
2019/01/23 12:43:34
It might work but don't count on it on 100%.
I know "Honeyd" is old, any suggestion?

hunter86_bg
Posts: 2019
Joined: 2015/02/17 15:14:33
Location: Bulgaria
Contact:

Re: Change OS fingerprint.

Post by hunter86_bg » 2019/01/23 19:53:36

I don't think that the efforts are worthy.
It's better to hide the version of your services - for example apache is providing it by default.
Best way is to close all ports , and open for specific trusted IPs - but most of the time this is not possible.

The safest approach is to harden your system, selinux in enforcing mode.
Then scan the system with nessus and greenbone and then remediate whatever is possible.

hack3rcon
Posts: 757
Joined: 2014/11/24 11:04:37

Re: Change OS fingerprint.

Post by hack3rcon » 2019/01/24 10:17:57

hunter86_bg wrote:
2019/01/23 19:53:36
I don't think that the efforts are worthy.
It's better to hide the version of your services - for example apache is providing it by default.
Best way is to close all ports , and open for specific trusted IPs - but most of the time this is not possible.

The safest approach is to harden your system, selinux in enforcing mode.
Then scan the system with nessus and greenbone and then remediate whatever is possible.
In your opinion honeypots are useless? Why a tool like "Honeyd" never developed more?

User avatar
jlehtone
Posts: 4523
Joined: 2007/12/11 08:17:33
Location: Finland

Re: Change OS fingerprint.

Post by jlehtone » 2019/01/24 14:29:25

No, he thinks fingerprint obfuscation to be waste of time.


How did you run the nmap anyway?

Code: Select all

# nmap -O snafu

Starting Nmap 6.40 ( http://nmap.org ) at 2019-01-24
Nmap scan report for foo.sbl (192.168.*.*)
Host is up (0.00048s latency).
Not shown: 999 filtered ports
PORT   STATE SERVICE
22/tcp open  ssh
MAC Address: 10:E7:*:*:*:* (Unknown)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Linux 2.6.32 - 3.9 (93%), Linux 3.0 - 3.9 (93%), Linux 2.6.32 - 3.6 (92%), Linux 2.6.32 (90%), Linux 2.6.22 - 2.6.36 (90%), Linux 2.6.39 (90%), Crestron XPanel control system (89%), Netgear DG834G WAP or Western Digital WD TV media player (89%), Linux 2.6.32 - 2.6.35 (88%), Linux 2.6.32 - 3.2 (88%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 1 hop

OS detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 9.47 seconds
Can you see from that output that the 'snafu' is a CentOS with default firewall zone 'public'?

hack3rcon
Posts: 757
Joined: 2014/11/24 11:04:37

Re: Change OS fingerprint.

Post by hack3rcon » 2019/01/26 10:07:08

jlehtone wrote:
2019/01/24 14:29:25
No, he thinks fingerprint obfuscation to be waste of time.


How did you run the nmap anyway?

Code: Select all

# nmap -O snafu

Starting Nmap 6.40 ( http://nmap.org ) at 2019-01-24
Nmap scan report for foo.sbl (192.168.*.*)
Host is up (0.00048s latency).
Not shown: 999 filtered ports
PORT   STATE SERVICE
22/tcp open  ssh
MAC Address: 10:E7:*:*:*:* (Unknown)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Linux 2.6.32 - 3.9 (93%), Linux 3.0 - 3.9 (93%), Linux 2.6.32 - 3.6 (92%), Linux 2.6.32 (90%), Linux 2.6.22 - 2.6.36 (90%), Linux 2.6.39 (90%), Crestron XPanel control system (89%), Netgear DG834G WAP or Western Digital WD TV media player (89%), Linux 2.6.32 - 2.6.35 (88%), Linux 2.6.32 - 3.2 (88%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 1 hop

OS detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 9.47 seconds
Can you see from that output that the 'snafu' is a CentOS with default firewall zone 'public'?
I don't know why never a tool created about it!
Nmap tell me:

Code: Select all

$ sudo nmap -O IP

Starting Nmap 6.47 ( http://nmap.org ) at 2019-01-26 13:31 +0330
Nmap scan report for IP (IP)
Host is up (0.00038s latency).
Not shown: 997 filtered ports
PORT    STATE SERVICE
22/tcp  open  ssh
80/tcp  open  http
443/tcp open  https
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: PBX|storage-misc|WAP
Running (JUST GUESSING): Vodavi embedded (89%), Thecus embedded (87%), Linux 2.6.X (85%)
OS CPE: cpe:/h:vodavi:xts-ip cpe:/h:thecus:n8800pro cpe:/o:linux:linux_kernel:2.6.22
Aggressive OS guesses: Vodavi XTS-IP PBX (89%), Thecus N8800PRO NAS device (87%), OpenWrt Kamikaze 7.09 (Linux 2.6.22) (85%)
No exact OS matches for host (test conditions non-ideal).

OS detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 11.41 seconds

Post Reply