Submit Hint Search The Forums LinksStatsPollsHeadlinesRSS
14,000 hints and counting!

Hiding information from nmap Network
Following a story on slashdot led to this article about hiding your system fingerprint from nmap. Now as far as I know (from nmap scanning on my local network), my machine has never been tagged (identified), but the suggestion about dropping packets to closed ports seemed like a "Good Idea." The instructions, in the BSD section were:
sysctl -w net.inet.tcp.blackhole=[0 | 1 | 2]
sysctl -w net.inet.udp.blackhole=[0 | 1]
I used the values (2,1), and nmap was then unable to even propose a set of values (it failed on tests 2,5,6,7 and U). Note sure of the real value but for the paranoid out there, why not give yourself a little extra edge.

[robg adds: I have not tested this one...]
    •    
  • Currently 2.67 / 5
  You rated: 3 / 5 (3 votes cast)
 
[7,783 views]  

Hiding information from nmap | 9 comments | Create New Account
Click here to return to the 'Hiding information from nmap' hint
The following comments are owned by whoever posted them. This site is not responsible for what they say.
Hiding information from nmap
Authored by: jzsimon on Mar 18, '03 01:10:52PM

If you have nmap installed on your own computer (e.g. with "fink install nmap"), you can easily test your own computer using localhost as the target:
-------------------
> sudo nmap -O localhost
Password:

Starting nmap V. 3.00 ( www.insecure.org/nmap/ )
Insufficient responses for TCP sequencing (3), OS detection may be less accurate
Interesting ports on localhost (127.0.0.1):
(The 1570 ports scanned but not shown below are in state: closed)
Port State Service
1/tcp open tcpmux
11/tcp open systat
15/tcp open netstat
22/tcp open ssh
25/tcp open smtp
79/tcp open finger
111/tcp open sunrpc
119/tcp open nntp
143/tcp open imap2
427/tcp open svrloc
540/tcp open uucp
548/tcp open afpovertcp
587/tcp open submission
631/tcp open ipp
635/tcp open unknown
993/tcp open imaps
1033/tcp open netinfo
1080/tcp open socks
1524/tcp open ingreslock
2000/tcp open callbook
6000/tcp open X11
6667/tcp open irc
12345/tcp open NetBus
12346/tcp open NetBus
27665/tcp open Trinoo_Master
31337/tcp open Elite
32771/tcp open sometimes-rpc5
32772/tcp open sometimes-rpc7
32773/tcp open sometimes-rpc9
32774/tcp open sometimes-rpc11
54320/tcp open bo2k
Remote OS guesses: FreeBSD 4.4-5 or Mac OS X 10.0.4 (Darwin V. 1.3-1.3.7 or 4P13), FreeBSD 4.4 for i386 (IA-32)

Nmap run completed -- 1 IP address (1 host up) scanned in 31 seconds
-------------------
Not exactly correct (I'm running Mac OS X 10.2.4) but not too far off.



[ Reply to This | # ]
Hiding information from nmap
Authored by: rotaiv on Mar 18, '03 01:25:02PM

I tried setting both of the blackhole settings as suggested but it did not seem to make any difference. I used nmap 3.0 on a fully patched RedHat Linux 8.0 and it still identified my Mac OS 10.2.5 as "Mac OS X 10.1 - 10.1.4". Now I know the version is not quite correct but it still provided the correct OS.



[ Reply to This | # ]
Hiding information from nmap
Authored by: scaryfish on Mar 18, '03 03:24:22PM
I've found that if you do this, it bypasses your firewall. By default, it's set up to allow loopback connections, which is what you're doing when you use 127.0.0.1 - and if I do this, all my ports show up.

If, however, I get my external ip and try scanning that, I don't get anything - not even the ICMP ping gets through.

Also, Snort tells me someone's trying to portscan me :) (as well as complaining that there are packets going out with the same source and destination)

---
=)


[ Reply to This | # ]

Hiding information from nmap
Authored by: jgw on Mar 18, '03 06:02:13PM
I posted the original hint. Here is more details (sorry for the length). Using two systems, sunbox is a Solaris 8 host, macbox is running 10.2. Hope this is a bit clearer.

1. Check the macbox
macbox bash$ sysctl net.inet.tcp.blackhole
net.inet.tcp.blackhole: 0
macbox bash$ sysctl net.inet.udp.blackhole
net.inet.udp.blackhole: 0

2. Run nmap on sunbox - note the test results at the end
sunbox ksh$ nmap -sS -O 10.128.12.105
Starting nmap V. 2.3BETA14 by fyodor@insecure.org ( www.insecure.org/nmap/ )
Interesting ports on macbox (10.128.12.105):
(Ports scanned but not shown below are in state: filtered)
Port State Protocol Service
22 open tcp ssh
80 open tcp http
427 unfiltered tcp svrloc
TCP Sequence Prediction: Class=truly random
Difficulty=9999999 (Good luck!)
No OS matches for host (If you know what OS is running on it, see http://www.insecure.org/cgi-bin/nmap-submit.cgi).
TCP/IP fingerprint:
TSeq(Class=TR)
T1(Resp=Y%DF=Y%W=807A%ACK=S++%Flags=AS%Ops=MNWNNT)
T2(Resp=N)
T3(Resp=Y%DF=Y%W=807A%ACK=S++%Flags=AS%Ops=MNWNNT)
T4(Resp=Y%DF=N%W=0%ACK=O%Flags=R%Ops=)
T5(Resp=Y%DF=N%W=0%ACK=S++%Flags=AR%Ops=)
T6(Resp=Y%DF=N%W=0%ACK=O%Flags=R%Ops=)
T7(Resp=Y%DF=N%W=0%ACK=S%Flags=AR%Ops=)
PU(Resp=Y%DF=Y%TOS=0%IPLEN=38%RIPTL=148%RIPCK=E%UCK=0%ULEN=134%DAT=E)

Nmap run completed -- 1 IP address (1 host up) scanned in 195 seconds

3. Fiddle macbox
macbox bash$ sudo sysctl -w net.inet.tcp.blackhole=2
net.inet.tcp.blackhole: 0 -> 2
macbox bash$ sudo sysctl -w net.inet.udp.blackhole=1
net.inet.udp.blackhole: 0 -> 1

4. Run nmap again - note different test results
sunbox ksh$ nmap -sS -O 10.128.12.105
Starting nmap V. 2.3BETA14 by fyodor@insecure.org ( www.insecure.org/nmap/ )
Interesting ports on macbox (10.128.12.105):
(Ports scanned but not shown below are in state: filtered)
Port State Protocol Service
22 open tcp ssh
80 open tcp http

TCP Sequence Prediction: Class=truly random
Difficulty=9999999 (Good luck!)
No OS matches for host (If you know what OS is running on it, see http://www.insecure.org/cgi-bin/nmap-submit.cgi).
TCP/IP fingerprint:
TSeq(Class=TR)
T1(Resp=Y%DF=Y%W=807A%ACK=S++%Flags=AS%Ops=MNWNNT)
T2(Resp=N)
T3(Resp=Y%DF=Y%W=807A%ACK=S++%Flags=AS%Ops=MNWNNT)
T4(Resp=Y%DF=N%W=0%ACK=O%Flags=R%Ops=)
T5(Resp=N)
T6(Resp=N)
T7(Resp=N)
PU(Resp=N)

Nmap run completed -- 1 IP address (1 host up) scanned in 200 seconds



[ Reply to This | # ]
Hiding information from nmap - don't do it.
Authored by: mdornseif on Mar 19, '03 03:46:09AM
Don't do this if yyou do not exactly know what you gain by doing so and what you break. Many things are designed in the assumption that you are notified if a port is closed. If your computer doesn't act accordingly you might break a lot of things. E.g. sending mail to certain servers or connecting to IRC (because of ident lookups/socks checks). On the other hand most MacOS X computers can be identified without nmap. E.g. by checking HTTP headers:
[c0ldcut:~] md% telnet 127.0.0.1 80
Trying 127.0.0.1...
Connected to localhost,.
Escape character is '^]'.
HEAD / HTTP/1.0

HTTP/1.1 200 OK
...
Server: Apache/1.3.27 (Darwin) DAV/1.0.3
...
So fiddeling with the IP-Stacks internals has very questionable gains tto offer.

[ Reply to This | # ]
Hiding information from nmap - don't do it.
Authored by: jrishaw on Mar 19, '03 05:15:29AM

One should also be wary when giving bad information out.

By setting tcp blackhole to '1' you do not 'break' anything, nor do you risk "breaking the stack".

There are no 'cons' to setting tcp blackhole to 1, other than servers trying to scan you will time out rather than sit and nail you port after port.

Being a networking expert and a BSD operator for almost a decade now, I support this; infact I've done so on most every BSD box I admin, OSX and otherwise (Free/Net/Open).

I must say, however, that the better way to approach this is with a tight ipfw configuration front-ended by a decent nat box that's locked down. Blackhole in and of itself is not a hardener of security; but it does make things a little more vague/obscure.



[ Reply to This | # ]
Hiding information from nmap - don't do it if you think it will make you "more secure"
Authored by: jrishaw on Mar 19, '03 05:18:08AM

Use ipfw. And read the reply to the first "dont do it" post above.



[ Reply to This | # ]
Hiding information from nmap
Authored by: bluehz on Mar 19, '03 09:30:25AM

Anyway to do this on a Slackware Linux box (I use it for my Mac LAN) without patching the kernel?



[ Reply to This | # ]
Hiding information from nmap
Authored by: datasmid on Apr 20, '06 02:47:52AM
This hint was verified to work on MacOSX Tiger 10.4.6 scanned with nmap 3.93:

If you have only one port open and one port closed NMap outputs:

Running Apple Mac OS  X 10.3.X|10.4.X, IBM AIX 4.X, Microsoft Windows 2003/.NET|NT/2K/XP
That still leaves a big deal of guesswork for the scanner.

If you also run in stealth-mode without any open port (nothing in the Sharing PreferencePanel, then nmap cannot tell anything about your Mac.



[ Reply to This | # ]