From owner-freebsd-security Mon Jul 8 15:11: 5 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0895F37B400 for ; Mon, 8 Jul 2002 15:10:59 -0700 (PDT) Received: from ns3.ideathcare.com (mail.allneo.com [216.185.96.68]) by mx1.FreeBSD.org (Postfix) with SMTP id 5DCCF43E09 for ; Mon, 8 Jul 2002 15:10:58 -0700 (PDT) (envelope-from jps@funeralexchange.com) Received: (qmail 8874 invoked by uid 85); 8 Jul 2002 22:18:10 -0000 Received: from jps@funeralexchange.com by ns3.ideathcare.com with qmail-scanner-1.03 (uvscan: v4.1.40/v4121. . Clean. Processed in 0.185395 secs); 08 Jul 2002 22:18:10 -0000 Received: from unknown (HELO funeralexchange.com) (216.185.99.194) by mail.allneo.com with SMTP; 8 Jul 2002 22:18:09 -0000 Received: from 66.171.47.250 (SquirrelMail authenticated user jps@funeralexchange.com) by webmail.allneo.com with HTTP; Mon, 8 Jul 2002 17:11:35 -0500 (CDT) Message-ID: <3803.66.171.47.250.1026166295.squirrel@webmail.allneo.com> Date: Mon, 8 Jul 2002 17:11:35 -0500 (CDT) Subject: Re: (Correction) Re: hiding OS name From: To: In-Reply-To: <20020708101116.A22900@lava.net> References: <20020708101116.A22900@lava.net> X-Priority: 3 Importance: Normal X-MSMail-Priority: Normal Cc: , , X-Mailer: SquirrelMail (version 1.2.6) MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I dont know if anyone has mentioned this yet but i came across this in ;login from May 2002 Xprobe is a tool automating the X logic. X is a logic developed from the various Active Operating System Fingerprinting methods discovered during the "ICMP Usage In Scanning" research project. WWW: http://www.sys-security.com/html/projects/X.html It fingerprints your OS by ICMP datagrams instead of TCP and only needs upto four packets to do its job. Anyone know how to hide yourself from this besides blocking all ICMP traffic? Also off topic can anyone suggest a good way to do remote logging via a ssh tunnel? I have looked at syslog-ng but i would like to use the base tools that come with freebsd (i.e openssh and syslogd) Thanks Jeremy Suo-Anttila jps@funeralexchange.com > A correction to my earlier email response (which I also misdirected): >> From: Clifton Royston > ... >> On Mon, Jul 08, 2002 at 07:42:00AM -0700, security-digest wrote: >> > Date: Mon, 8 Jul 2002 08:11:37 -0600 >> > From: "Laurence Brockman" >> > Subject: Re: hiding OS name >> > >> > I think that what the original poster was trying to get at was when >> > being scanned by something like nmap using the OS detection (Or >> > other tools), it would show no OS. >> > >> > This would mean changing the way the networking layer responds to >> > certain packets (ICMP, tcp sequencing, etc) and I'm not sure if >> > there is anything out there for FreeBSD (Never bothered to look). >> > >> > I know there are kernel patches for linux that actually change the >> > stack to emulate other OS's, thus fooling these OS detection tools. >> > >> > Laurence >> >> I believe some details of the TCP stack implementation were changed in >> 4.4 and above, which already makes the FreeBSD stack harder to >> identify. Rebuilding your 4-x kernel with the following flag out of >> the LINT file will make it much harder to identify (and also immune to >> TCP sequence number prediction.) > > My comment was incorrect; TCP sequence prediction is a completely > different issue and this is already dealt with correctly by the network > stack. The following option, as it states, refers to the lower level > IP ID generation. > >> # RANDOM_IP_ID causes the ID field in IP packets to be randomized # >> instead of incremented by 1 with each packet generated. This >> # option closes a minor information leak which allows remote >> # observers to determine the rate of packet generation on the >> # machine by watching the counter. >> options RANDOM_IP_ID >> >> Unlike the TCP_DROP_SYNFIN flag which will somewhat impair the >> operation of your server, this one provides some actual, if minor, >> benefits against certain types of man-in-the-middle attacks. > > My comment there is incorrect; probably the only benefit is closing the > information leak mentioned (of dubious value) and making it a little > harder to ID your operating system. > >> Here's sample output from a fairly recent nmap (2.54BETA31) against a >> recently rebuilt 4-STABLE server under my control: >> >> No exact OS matches for host (If you know what OS is running on it, >> see http://www.insecure.org/cgi-bin/nmap-submit.cgi). >> TCP/IP fingerprint: >> SInfo(V=2.54BETA31%P=i386-redhat-linux-gnu%D=7/8%Time=3D29DEDE%O=21%C=1) >> TSeq(Class=TR%IPID=RD%TS=100HZ) >> T1(Resp=Y%DF=N%W=E000%ACK=S++%Flags=AS%Ops=MNWNNT) >> T2(Resp=N) >> T3(Resp=Y%DF=N%W=E000%ACK=S++%Flags=AS%Ops=MNWNNT) >> T4(Resp=Y%DF=N%W=0%ACK=O%Flags=R%Ops=) >> T5(Resp=Y%DF=N%W=0%ACK=S++%Flags=AR%Ops=) >> T6(Resp=Y%DF=N%W=0%ACK=O%Flags=R%Ops=) >> T7(Resp=Y%DF=N%W=0%ACK=S%Flags=AR%Ops=) >> PU(Resp=Y%DF=N%TOS=0%IPLEN=38%RIPTL=148%RID=E%RIPCK=E%UCK=0%ULEN=134%DAT=E)>> >> >> Uptime 5.050 days (since Wed Jul 3 07:38:10 2002) >> TCP Sequence Prediction: Class=truly random >> Difficulty=9999999 (Good luck!) >> IPID Sequence Generation: Randomized > > On a different machine running 4.4-R patched but without this flag the > OS is successfully identified: > > Remote operating system guess: FreeBSD 4.3 - 4.4PRERELEASE > Uptime 7.868 days (since Sun Jun 30 13:04:36 2002) > TCP Sequence Prediction: Class=truly random > Difficulty=9999999 (Good luck!) > IPID Sequence Generation: Incremental > > > BTW, a valid reason for keeping people from knowing exactly what you're > running is to make it more likely that they will try the wrong version > of an OS-specific exploit like the recent "apache_scalp". It might not > help that much, but it would be a *little* better to have people > running a Linux-specific exploit than a FreeBSD-specific exploit > against your FreeBSD box. > > -- Clifton > > -- > Clifton Royston -- LavaNet Systems Architect -- cliftonr@lava.net > "What do we need to make our world come alive? > What does it take to make us sing? > While we're waiting for the next one to arrive..." - Sisters of Mercy > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message