Date: Sat, 04 Sep 2004 22:28:59 +0200 From: =?ISO-8859-2?Q?=A3ukasz_Bromirski?= <lukasz@bromirski.net> To: freebsd-net@freebsd.org Subject: Re: fooling nmap Message-ID: <413A258B.5030506@bromirski.net> In-Reply-To: <20040904135129.L38122@digital-security.org> References: <20040904093042.B37306@digital-security.org> <20040904175028.GA25772@csh.rit.edu> <413A15DB.5010702@karnaugh.za.net> <20040904135129.L38122@digital-security.org>
next in thread | previous in thread | raw e-mail | index | archive | help
vxp wrote: > oh, but it does. it prevents them from gathering accurate information > about your system. that's an extremely important part of the attack. Well, most of the automated trojans seen recently just connect and try to execute some specific code. You won't beat them with turning off timestamps, or selective-acks, or changing default window size for TCP. They won't even notice Your hacks... On the other hand, people that *really* want to get root on Your box, will fingerprinting Your box (if it really matters for them) by means of services running and it's typical role, not by "what TTL does it return? OH, it's 199, I won't even try to get in, as its propably some m4st4 inside...". This whole thing about network stack virtualization and ability to influence Your network stack to the point, where You're able to behave like other OS is very interesting, there's even good book about system fingerprinting and identification coming out by Michal Zalewski[1], but to real-world systems, what's the use of mimicking Linux or Cisco router, when You're running Postfix, Apache, Courier-IMAP, pure-ftpd and SSH on Your box, and the "I want Your disk-space" kid will try his SSH exploits with automated script whatever the fingerprint will be? [1]. http://www.oreilly.com/catalog/1593270461/ -- this space was intentionally left blank | Łukasz Bromirski you can insert your favourite quote here | lukasz:bromirski,net
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?413A258B.5030506>