Submit Hint Search The Forums LinksStatsPollsHeadlinesRSS
14,000 hints and counting!


Click here to return to the 'Hiding information from nmap' hint
The following comments are owned by whoever posted them. This site is not responsible for what they say.
Hiding information from nmap
Authored by: jgw on Mar 18, '03 06:02:13PM
I posted the original hint. Here is more details (sorry for the length). Using two systems, sunbox is a Solaris 8 host, macbox is running 10.2. Hope this is a bit clearer.

1. Check the macbox
macbox bash$ sysctl net.inet.tcp.blackhole
net.inet.tcp.blackhole: 0
macbox bash$ sysctl net.inet.udp.blackhole
net.inet.udp.blackhole: 0

2. Run nmap on sunbox - note the test results at the end
sunbox ksh$ nmap -sS -O 10.128.12.105
Starting nmap V. 2.3BETA14 by fyodor@insecure.org ( www.insecure.org/nmap/ )
Interesting ports on macbox (10.128.12.105):
(Ports scanned but not shown below are in state: filtered)
Port State Protocol Service
22 open tcp ssh
80 open tcp http
427 unfiltered tcp svrloc
TCP Sequence Prediction: Class=truly random
Difficulty=9999999 (Good luck!)
No OS matches for host (If you know what OS is running on it, see http://www.insecure.org/cgi-bin/nmap-submit.cgi).
TCP/IP fingerprint:
TSeq(Class=TR)
T1(Resp=Y%DF=Y%W=807A%ACK=S++%Flags=AS%Ops=MNWNNT)
T2(Resp=N)
T3(Resp=Y%DF=Y%W=807A%ACK=S++%Flags=AS%Ops=MNWNNT)
T4(Resp=Y%DF=N%W=0%ACK=O%Flags=R%Ops=)
T5(Resp=Y%DF=N%W=0%ACK=S++%Flags=AR%Ops=)
T6(Resp=Y%DF=N%W=0%ACK=O%Flags=R%Ops=)
T7(Resp=Y%DF=N%W=0%ACK=S%Flags=AR%Ops=)
PU(Resp=Y%DF=Y%TOS=0%IPLEN=38%RIPTL=148%RIPCK=E%UCK=0%ULEN=134%DAT=E)

Nmap run completed -- 1 IP address (1 host up) scanned in 195 seconds

3. Fiddle macbox
macbox bash$ sudo sysctl -w net.inet.tcp.blackhole=2
net.inet.tcp.blackhole: 0 -> 2
macbox bash$ sudo sysctl -w net.inet.udp.blackhole=1
net.inet.udp.blackhole: 0 -> 1

4. Run nmap again - note different test results
sunbox ksh$ nmap -sS -O 10.128.12.105
Starting nmap V. 2.3BETA14 by fyodor@insecure.org ( www.insecure.org/nmap/ )
Interesting ports on macbox (10.128.12.105):
(Ports scanned but not shown below are in state: filtered)
Port State Protocol Service
22 open tcp ssh
80 open tcp http

TCP Sequence Prediction: Class=truly random
Difficulty=9999999 (Good luck!)
No OS matches for host (If you know what OS is running on it, see http://www.insecure.org/cgi-bin/nmap-submit.cgi).
TCP/IP fingerprint:
TSeq(Class=TR)
T1(Resp=Y%DF=Y%W=807A%ACK=S++%Flags=AS%Ops=MNWNNT)
T2(Resp=N)
T3(Resp=Y%DF=Y%W=807A%ACK=S++%Flags=AS%Ops=MNWNNT)
T4(Resp=Y%DF=N%W=0%ACK=O%Flags=R%Ops=)
T5(Resp=N)
T6(Resp=N)
T7(Resp=N)
PU(Resp=N)

Nmap run completed -- 1 IP address (1 host up) scanned in 200 seconds



[ Reply to This | # ]