Submit Hint Search The Forums LinksStatsPollsHeadlinesRSS
14,000 hints and counting!


Click here to return to the 'Hiding information from nmap' hint
The following comments are owned by whoever posted them. This site is not responsible for what they say.
Hiding information from nmap
Authored by: jzsimon on Mar 18, '03 01:10:52PM

If you have nmap installed on your own computer (e.g. with "fink install nmap"), you can easily test your own computer using localhost as the target:
-------------------
> sudo nmap -O localhost
Password:

Starting nmap V. 3.00 ( www.insecure.org/nmap/ )
Insufficient responses for TCP sequencing (3), OS detection may be less accurate
Interesting ports on localhost (127.0.0.1):
(The 1570 ports scanned but not shown below are in state: closed)
Port State Service
1/tcp open tcpmux
11/tcp open systat
15/tcp open netstat
22/tcp open ssh
25/tcp open smtp
79/tcp open finger
111/tcp open sunrpc
119/tcp open nntp
143/tcp open imap2
427/tcp open svrloc
540/tcp open uucp
548/tcp open afpovertcp
587/tcp open submission
631/tcp open ipp
635/tcp open unknown
993/tcp open imaps
1033/tcp open netinfo
1080/tcp open socks
1524/tcp open ingreslock
2000/tcp open callbook
6000/tcp open X11
6667/tcp open irc
12345/tcp open NetBus
12346/tcp open NetBus
27665/tcp open Trinoo_Master
31337/tcp open Elite
32771/tcp open sometimes-rpc5
32772/tcp open sometimes-rpc7
32773/tcp open sometimes-rpc9
32774/tcp open sometimes-rpc11
54320/tcp open bo2k
Remote OS guesses: FreeBSD 4.4-5 or Mac OS X 10.0.4 (Darwin V. 1.3-1.3.7 or 4P13), FreeBSD 4.4 for i386 (IA-32)

Nmap run completed -- 1 IP address (1 host up) scanned in 31 seconds
-------------------
Not exactly correct (I'm running Mac OS X 10.2.4) but not too far off.



[ Reply to This | # ]
Hiding information from nmap
Authored by: rotaiv on Mar 18, '03 01:25:02PM

I tried setting both of the blackhole settings as suggested but it did not seem to make any difference. I used nmap 3.0 on a fully patched RedHat Linux 8.0 and it still identified my Mac OS 10.2.5 as "Mac OS X 10.1 - 10.1.4". Now I know the version is not quite correct but it still provided the correct OS.



[ Reply to This | # ]
Hiding information from nmap
Authored by: scaryfish on Mar 18, '03 03:24:22PM
I've found that if you do this, it bypasses your firewall. By default, it's set up to allow loopback connections, which is what you're doing when you use 127.0.0.1 - and if I do this, all my ports show up.

If, however, I get my external ip and try scanning that, I don't get anything - not even the ICMP ping gets through.

Also, Snort tells me someone's trying to portscan me :) (as well as complaining that there are packets going out with the same source and destination)

---
=)


[ Reply to This | # ]

Hiding information from nmap
Authored by: jgw on Mar 18, '03 06:02:13PM
I posted the original hint. Here is more details (sorry for the length). Using two systems, sunbox is a Solaris 8 host, macbox is running 10.2. Hope this is a bit clearer.

1. Check the macbox
macbox bash$ sysctl net.inet.tcp.blackhole
net.inet.tcp.blackhole: 0
macbox bash$ sysctl net.inet.udp.blackhole
net.inet.udp.blackhole: 0

2. Run nmap on sunbox - note the test results at the end
sunbox ksh$ nmap -sS -O 10.128.12.105
Starting nmap V. 2.3BETA14 by fyodor@insecure.org ( www.insecure.org/nmap/ )
Interesting ports on macbox (10.128.12.105):
(Ports scanned but not shown below are in state: filtered)
Port State Protocol Service
22 open tcp ssh
80 open tcp http
427 unfiltered tcp svrloc
TCP Sequence Prediction: Class=truly random
Difficulty=9999999 (Good luck!)
No OS matches for host (If you know what OS is running on it, see http://www.insecure.org/cgi-bin/nmap-submit.cgi).
TCP/IP fingerprint:
TSeq(Class=TR)
T1(Resp=Y%DF=Y%W=807A%ACK=S++%Flags=AS%Ops=MNWNNT)
T2(Resp=N)
T3(Resp=Y%DF=Y%W=807A%ACK=S++%Flags=AS%Ops=MNWNNT)
T4(Resp=Y%DF=N%W=0%ACK=O%Flags=R%Ops=)
T5(Resp=Y%DF=N%W=0%ACK=S++%Flags=AR%Ops=)
T6(Resp=Y%DF=N%W=0%ACK=O%Flags=R%Ops=)
T7(Resp=Y%DF=N%W=0%ACK=S%Flags=AR%Ops=)
PU(Resp=Y%DF=Y%TOS=0%IPLEN=38%RIPTL=148%RIPCK=E%UCK=0%ULEN=134%DAT=E)

Nmap run completed -- 1 IP address (1 host up) scanned in 195 seconds

3. Fiddle macbox
macbox bash$ sudo sysctl -w net.inet.tcp.blackhole=2
net.inet.tcp.blackhole: 0 -> 2
macbox bash$ sudo sysctl -w net.inet.udp.blackhole=1
net.inet.udp.blackhole: 0 -> 1

4. Run nmap again - note different test results
sunbox ksh$ nmap -sS -O 10.128.12.105
Starting nmap V. 2.3BETA14 by fyodor@insecure.org ( www.insecure.org/nmap/ )
Interesting ports on macbox (10.128.12.105):
(Ports scanned but not shown below are in state: filtered)
Port State Protocol Service
22 open tcp ssh
80 open tcp http

TCP Sequence Prediction: Class=truly random
Difficulty=9999999 (Good luck!)
No OS matches for host (If you know what OS is running on it, see http://www.insecure.org/cgi-bin/nmap-submit.cgi).
TCP/IP fingerprint:
TSeq(Class=TR)
T1(Resp=Y%DF=Y%W=807A%ACK=S++%Flags=AS%Ops=MNWNNT)
T2(Resp=N)
T3(Resp=Y%DF=Y%W=807A%ACK=S++%Flags=AS%Ops=MNWNNT)
T4(Resp=Y%DF=N%W=0%ACK=O%Flags=R%Ops=)
T5(Resp=N)
T6(Resp=N)
T7(Resp=N)
PU(Resp=N)

Nmap run completed -- 1 IP address (1 host up) scanned in 200 seconds



[ Reply to This | # ]