Thwarting Remote OS Fingerprinting Eric Kluthe. What is OS fingerprinting? Sending packets, usually ICMP and TCP, and recording the responses that come.

Slides:



Advertisements
Similar presentations
Overview The TCP/IP Stack. The Link Layer (L2). The Network Layer (L3). The Transport Layer (L4). Port scanning & OS/App detection techniques. Evasion.
Advertisements

Network and Application Attacks Contributed by- Chandra Prakash Suryawanshi CISSP, CEH, SANS-GSEC, CISA, ISO 27001LI, BS 25999LA, ERM (ISB) June 2006.
 Dynamic policies o Change as system security state/load changes o GAA architecture  Extended access control lists  Pre-, mid- and post-conditions,
1 The Attack and Defense of Computers Dr. 許 富 皓. 2 Port Scanning.
Hands-On Ethical Hacking and Network Defense Chapter 5 Port Scanning Last updated
Hacking Exposed 7 Network Security Secrets & Solutions Chapter 2 Scanning 1.
System Security Scanning and Discovery Chapter 14.
Internet Control Message Protocol (ICMP)
1 Internet Networking Spring 2002 Tutorial 4 ICMP (Internet Control Message Protocol)
Chapter 23: ARP, ICMP, DHCP IS333 Spring 2015.
ICMP: Ping and Trace CCNA 1 version 3.0 Rick Graziani Spring 2005.
1 ICMP – Using Ping and Trace CCNA Semester
IIS vs. Apache. Five advantages of IIS 1. It is has a GUI interface, which makes the installation a bit easier. 2. It "plays" well with other Microsoft.
Port Scanning.
CS 6401 Internet Protocol Outline Introduction to Internet Protocol Header and address formats ICMP Tools.
Guide to TCP/IP, Third Edition
TCP/IP Protocol Suite 1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 9 Internet Control Message.
ICMP (Internet Control Message Protocol) Computer Networks By: Saeedeh Zahmatkesh spring.
© Janice Regan, CMPT 128, CMPT 371 Data Communications and Networking Network Layer ICMP and fragmentation.
Internet Protocol (IP)
1 Reconnaissance, Network Mapping, and Vulnerability Assessment ECE4112 – Internetwork Security Georgia Institute of Technology.
ICMP : Internet Control Message Protocol. Introduction ICMP is often considered part of the IP layer. It communicates error messages and other conditions.
Internet Control Message Protocol (ICMP). Objective l IP and ICMP l Why need ICMP? l ICMP Message Format l ICMP fields l Examples: »Ping »Traceroute.
OS Hardening Justin Whitehead Francisco Robles. ECE Internetwork Security OS Hardening Installing kernel/software patches and configuring a system.
CIS 450 – Network Security Chapter 3 – Information Gathering.
What’s New in Fireware v11.9.5
FORESEC Academy FORESEC Academy Security Essentials (III)
© Jörg Liebeherr (modified by M. Veeraraghavan) 1 ICMP: A helper protocol to IP The Internet Control Message Protocol (ICMP) is the protocol used for error.
Chapter 12 Transmission Control Protocol (TCP)
Firewall Fingerprinting Amir R. Khakpour 1, Joshua W. Hulst 1, Zhihui Ge 2, Alex X. Liu 1, Dan Pei 2, Jia Wang 2 1 Michigan State University 2 AT&T Labs.
Port Scanning and Enumeration (NMAP)
1 Reconnaissance, Network Mapping, and Vulnerability Assessment ECE4112 – Internetwork Security Georgia Institute of Technology.
ICMP (Internet Control Message Protocol) w.lilakiatsakun.
Distributed Denial of Service Attacks Shankar Saxena Veer Vivek Kaushik.
1 Figure 4-1: Targeted System Penetration (Break-In Attacks) Host Scanning  Ping often is blocked by firewalls  Send TCP SYN/ACK to generate RST segments.
Retina Network Security Scanner
Firewalls2 By using a firewall: We can disable a service by throwing out packets whose source or destination port is the port number for that service.
1 Figure 3-13: Internet Protocol (IP) IP Addresses and Security  IP address spoofing: Sending a message with a false IP address (Figure 3-17)  Gives.
ERICSON BRANDON M. BASCUG Alternate - REGIONAL NETWORK ADMINISTRATOR HOW TO TROUBLESHOOT TCP/IP CONNECTIVITY.
1 1999/Ph 514: Channel Access Configuration EPICS Channel Access Configuration Andrew Johnson APS.
Machine Learning for Network Anomaly Detection Matt Mahoney.
Lecture 21: Network Primer 7/9/2003 CSCE 590 Summer 2003.
By Daniel Grim. What Is Windows NT? IPSEC/Windows Firewall NTFS File System Registry Permissions Managing User Accounts Conclusion Outline.
Kali Linux BY BLAZE STERLING. Roadmap  What is Kali Linux  Installing Kali Linux  Included Tools  In depth included tools  Conclusion.
Penetration Testing By Blaze Sterling. Roadmap What is Penetration Testing How is it done? Penetration Testing Tools Kali Linux In depth included tools.
Common System Exploits Tom Chothia Computer Security, Lecture 17.
Microsoft OS Vulnerabilities April 1, 2010 MIS 4600 – MBA © Abdou Illia.
Hands-On Ethical Hacking and Network Defense
Port Scanning James Tate II
FIREWALL configuration in linux
Traceroute traceroute is a Unix utility designed by Van Jacobson in 1987 The Windows equivalent is called tracert The Linux equivalent is called tracepath.
CITA 352 Chapter 5 Port Scanning.
Network Commands 2 Linux Ubuntu A.S.
Hping2.
Network Exploitation Tool
ICMP – Using Ping and Trace
Part1: Ipconfig ping command Tracert command Getmac command
ICMP – Using Ping and Trace
Internet Protocol (IP)
Internet Control Message Protocol Version 4 (ICMPv4)
CS580 Special Project: IOS Firewall Setup using CISCO 1600 router
TRANSMISSION CONTROL PROTOCOL
Internet Control Message Protocol
IIT Indore © Neminath Hubballi
46 to 1500 bytes TYPE CODE CHECKSUM IDENTIFIER SEQUENCE NUMBER OPTIONAL DATA ICMP Echo message.
Channel Access Configuration
Channel Access Configuration
ITIS 6167/8167: Network and Information Security
Fred Kuhns Applied Research Laboratory
TCP/IP Protocol Suite 1 Chapter 9 Upon completion you will be able to: Internet Control Message Protocol Be familiar with the ICMP message format Know.
Presentation transcript:

Thwarting Remote OS Fingerprinting Eric Kluthe

What is OS fingerprinting? Sending packets, usually ICMP and TCP, and recording the responses that come back. In order to get optimal results, Nmap and other tools use a handful of specially crafted packets in order to accurately fingerprint and detect an OS.

An example of fingerprinting The ICMP echo test

ICMP packet structure

An Example - The ICMP echo test In this test we send out two packets with the following attributes set: Packet 1: IP DF bit set, TOS byte value of 0, an ICMP code of 9 (should be 0), Sequence # of 295, and 125 bytes of 0's as a payload. Packet 2: TOS of four ( IP_TOS_RELIABILITY ), a code of 0, 150 bytes of random data.

What do we get in return? Windows 2008 Server: IE(R=Y%DFI=N%TG=80%CD=Z) Ubuntu 10.04: IE(R=Y%DFI=N%T=40%CD=S) Notice the differences?

My Research 1. Find out what software packages are out there for both OS detection and evasion. 2. Test these tools using Backtrack 5, clean install of Ubuntu 10.04, and a clean install of Windows Server Firewall all of the non-public services off from the public. 4. Test again and record results. 5. Install OS evasion software. Disable firewall. 6. Test again and record results. 7. Enable firewall and evasion software 8. Test again and record results.

What ended up happening? 1. The only detection tools that are still being updated are Nmap, and SinFP. 2. There are no fingerprint evasion tools that work for operating systems made within the past 4 years. 3. Since I knew how the fingerprinting software worked, I was able to mess with some TCP variables in the operating system to mimic the evasion tools. 4.Success.

Results Clean Nmap: Detected Both Perfectly SinFP: Detected Both Perfectly With FW rules in place Nmap: Detected both perfectly. SinFP: Detected both perfectly. After changing the TCP values (MTU, Win Size, default TTL, etc.) Nmap: Ubuntu turned into a Linksys WRV54G WAP. Windows: No exact match, but guessed it anyway. SinFP: Completely failed on both, no fingerprint found.

Results After implementing both FW rules and changing the tcp values: Nmap: Ubuntu machine returned no OS matches. Windows machine returned no exact matches but guessed with equal probability that it was either windows, or freeBSD. SinFP: Failed.

Results -Created a script that makes an Ubuntu machine look like a Linksys router. -Would have been easy to make a small script for Windows.

Conclusions 1. Tools need to be updated or recreated for newer OS's. 2. It is pretty easy to change the profile of your machine and fool the detection/fingerprinting software. 3. You should probably lock down the services on your machine's anyway Messing with the TCP/IP values may introduce performance issues. (Future research?)

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.