DaemonForums  

Go Back   DaemonForums > Miscellaneous > General software and network

General software and network General OS-independent software and network questions, X11, MTA, routing, etc.

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 17th February 2012
daemonfowl daemonfowl is offline
bsdstudent
 
Join Date: Jan 2012
Location: DaemonLand
Posts: 834
Default hiding OS from Netcraft ..

Hi everybody !

While surfing Netcraft days ago, I noticed that for some websites/servers OS detection falls short to reveal info .. they write 'unknown' .. eg. : plan9.bell-labs.com ..

* In theory, how can a server bypass nmap -O for instance or Netcraft OS-detection craft ?
* how can I hide my OS ID ..

I also noticed the generic description 'linux' instead of the distro name ..
Reply With Quote
  #2   (View Single Post)  
Old 17th February 2012
daemonfowl daemonfowl is offline
bsdstudent
 
Join Date: Jan 2012
Location: DaemonLand
Posts: 834
Default

actually bell-labs is running solaris .. but why plan9 is marked unknown os ?
Reply With Quote
  #3   (View Single Post)  
Old 17th February 2012
Carpetsmoker's Avatar
Carpetsmoker Carpetsmoker is offline
Real Name: Martin
Tcpdump Spy
 
Join Date: Apr 2008
Location: Netherlands
Posts: 2,243
Default

http://uptime.netcraft.com/up/accuracy.html#os
__________________
UNIX was not designed to stop you from doing stupid things, because that would also stop you from doing clever things.
Reply With Quote
  #4   (View Single Post)  
Old 17th February 2012
daemonfowl daemonfowl is offline
bsdstudent
 
Join Date: Jan 2012
Location: DaemonLand
Posts: 834
Default

Thanks Carpetsmoker ! of course I read it .. but that doesn't answer the question
in theory how can I deny nmap or any OS-detection tool to get the identity of my OS .. or at least to mislead it as to obtain wrong or more generic ID .. unix/linux/ ..
sorry for this newb question .. I remember an option in konqueror which prevents/allow browser identification -plus at will OS detection- ..
I am also thinking of that famous old livecd called AnonymOS .. I wonder if the anonymy it offers is both at the level of data packets and also -equally important- at the level of OS identity .. keeping my OS id anonymous is sth I'd love to achieve ..
Reply With Quote
  #5   (View Single Post)  
Old 17th February 2012
ocicat ocicat is offline
Administrator
 
Join Date: Apr 2008
Posts: 3,318
Default

Quote:
Originally Posted by daemonfowl View Post
in theory how can I deny nmap or any OS-detection tool to get the identity of my OS .. or at least to mislead it as to obtain wrong or more generic ID ..
I don't pretend to have the answer to your question, but fingerprinting is not a black-&-white subject. In fact, fingerprinting employs a number of heuristics which statistically identify the target -- which means that the result is not guaranteed to be correct.

The Nmap book has a section on OS detection:

http://nmap.org/book/osdetect-guess.html

...however, I will concur that it does not spell out the algorithms used in any detail. In many ways, the Nmap crowd doesn't want this to be widely known as OS developers will then modify their network stacks to return different results.

Ultimately, if you want a definitive answer, you will need to study the source code yourself.

Nevertheless, your question raises another in return. Why is it important to obscure what operating system you are running? In reading OpenBSD's mailing lists, there hasn't been that much discussion in over ten years:

http://marc.info/?l=openbsd-misc&w=2...erprinting&q=b

In general, believing that one can have security through obscurity is not an accepted best security practice.
Reply With Quote
  #6   (View Single Post)  
Old 17th February 2012
daemonfowl daemonfowl is offline
bsdstudent
 
Join Date: Jan 2012
Location: DaemonLand
Posts: 834
Default

Hi Ocicat !
I must thank you for your enlightening point ..
security through obscurity in certain ways is an obligation .. not for fear of being attacked but of being *noticed* then *identified* if for instance you are the only one using a particular OS around in some small area where privacy has been redefined as 'cyber Mega Sin ! so here being *UFO* is a sec-measure ..

Quote:
you will need to study the source code yourself.
you mean nmap's or the the kernel's code ?
then a total mastery of c/lua/ is involved here .. :-)

the Q appertains only to the likes of us on personal workstations and private servers .. big servers on the other hand would not consider such anonymy ..

Last edited by daemonfowl; 17th February 2012 at 11:52 PM.
Reply With Quote
  #7   (View Single Post)  
Old 18th February 2012
ocicat ocicat is offline
Administrator
 
Join Date: Apr 2008
Posts: 3,318
Default

Quote:
Originally Posted by daemonfowl View Post
security through obscurity in certain ways is an obligation .. not for fear of being attacked but of being *noticed* then *identified*...
The problem is that you/me/anyone is never going to know what the bad guys are doing to identify your/my/our systems. Nmap doesn't employ the only heuristics available, & the bad guys aren't going to advertise what methods they use. Ultimately, knowledge of fingerprinting techniques isn't necessarily the right topic to focus upon when it comes to securing systems exposed to the Internet.

What you will find the OpenBSD project developers advocating is understanding what packets are going through your firewall, & tightening the rules such that only the traffic you want gets through in either direction.

Focusing on firewall rules offers more tangible results. Trying to out-smart the ever-evolving murky heuristics used by the bad guys who will never divulge what they are doing will only put you/me/anyone into a constant game of cats chasing mice. And the bad guys aren't going to stand still -- at least not the really good ones.

While I will grant you that fingerprinting is a curious subject, & there are a number of books which chronicle publicized exploits, understanding fingerprinting at a deeper level also will take significant time, research, sophistication, & experience.
Quote:
you mean nmap's or the the kernel's code ?
Nmap, as your question was initially on how fingerprinting is done.
Quote:
then a total mastery of c/lua/ is involved here .. :-)
At minimum, C. Yet if this is a goal that you really want to pursue, I would rate it at the senior undergraduate level if you want a ballpark guess as to complexity.

Last edited by ocicat; 18th February 2012 at 12:21 AM.
Reply With Quote
  #8   (View Single Post)  
Old 18th February 2012
daemonfowl daemonfowl is offline
bsdstudent
 
Join Date: Jan 2012
Location: DaemonLand
Posts: 834
Default

Quote:
What you will find the OpenBSD project developers advocating is understanding what packets are going through your firewall, & tightening the rules such that only the traffic you want gets through in either direction.
Thanks Ocicat .. that's what a DaemonHacker would call "thinking correctly" ..
Think BSD =Think Correctly

I still wonder why some servers appear anonymous OSes on Netcraft ..

Last edited by daemonfowl; 18th February 2012 at 12:56 AM.
Reply With Quote
  #9   (View Single Post)  
Old 18th February 2012
ocicat ocicat is offline
Administrator
 
Join Date: Apr 2008
Posts: 3,318
Default

As I recall, you have mentioned wanting/using tor in some other thread. While on the subject/myth of "security through obscurity", it is worth some mention that the tor servers were hacked some time back:

http://www.wired.com/politics/securi...urrentPage=all

...so to feel that this is a failsafe security measure, it isn't. In fact, you won't find the OpenBSD project developers to be real fans of the technology either.
Reply With Quote
Old 18th February 2012
daemonfowl daemonfowl is offline
bsdstudent
 
Join Date: Jan 2012
Location: DaemonLand
Posts: 834
Default

Ocicat , that's interesting to hear ! and thank you for the informing link !

Actually the OpenBSD Team warns against relying much on tor for anonymity as obvious from the boot message at the end .. there is even a recurring notice about libident stable and another version mismatch which may cause tor to crash ..

Maybe you'd suggest some other caching tool I must be using instead .. squid for instance ??
I'd be happy to learn about something new and more secure to use ..

Last edited by daemonfowl; 18th February 2012 at 04:55 AM.
Reply With Quote
Old 18th February 2012
ocicat ocicat is offline
Administrator
 
Join Date: Apr 2008
Posts: 3,318
Default

Quote:
Originally Posted by daemonfowl View Post
I'd be happy to learn about sth...
daemonfowl, you're "sth"'ing again...


Quote:
Maybe you'd suggest some other caching tool I must be using instead ..
If you want to move discussion to a new topic, I think you know what to do.
Reply With Quote
Old 18th February 2012
daemonfowl daemonfowl is offline
bsdstudent
 
Join Date: Jan 2012
Location: DaemonLand
Posts: 834
Default

Corrected .. bad habits need time to unlearn lol ..
Thanks Ocicat !
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
ftpd and hiding . files crofox OpenBSD Packages and Ports 5 26th June 2008 03:01 AM
chmods for users & hiding processes mike OpenBSD Security 2 12th June 2008 04:15 PM


All times are GMT. The time now is 09:17 AM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick