Hi Nawapong Nakjang, Thx for the info... Was looking for such a tool.. Got a better insight on the traffic that my proxyserver is handling. It is amazing how many portscans you see...
John On 7/8/03 4:40 AM, "Nawapong Nakjang`" <[EMAIL PROTECTED]> wrote: > Yes it is possible, you can use a tool called iplog: > > IPlog is a TCP/IP logger that can detect some scans (XMAS, FIN, SYN, ACK > ,etc). It also has an option (-z) that allows to fool Nmap queries, and, > although you can't behave as other OS, you can completely fool Nmap to > avoid remote OS fingerprinting. > > [EMAIL PROTECTED] /]# iplog -o -L -z -i eth0 > [EMAIL PROTECTED] /]# nmap -vv -sS -O -10.0.0.2 > > Starting nmap 3.30 ( http://www.insecure.org/nmap/ ) at 2003-07-08 09:33 > ICT > Insufficient responses for TCP sequencing (1), OS detection may be less > accurate > Insufficient responses for TCP sequencing (1), OS detection may be less > accurate > Insufficient responses for TCP sequencing (1), OS detection may be less > accurate > Interesting ports on webconsole (10.0.0.2): > (The 1599 ports scanned but not shown below are in state: closed) > Port State Service > 22/tcp open ssh > 443/tcp open https > No exact OS matches for host (If you know what OS is running on it, see > http://www.insecure.org/cgi-bin/nmap-submit.cgi). > TCP/IP fingerprint: > SInfo(V=3.10ALPHA4%P=i586-pc-linux-gnu%D=2/20%Time=3E54C833%O=9%C=1) > T1(Resp=Y%DF=Y%W=7FFF%ACK=S++%Flags=AS%Ops=MNNTNW) > T2(Resp=Y%DF=N%W=0%ACK=O%Flags=BA%Ops=) > T2(Resp=Y%DF=Y%W=100%ACK=O%Flags=BARF%Ops=) > T2(Resp=Y%DF=Y%W=100%ACK=O%Flags=BPF%Ops=) > T3(Resp=Y%DF=N%W=0%ACK=O%Flags=BA%Ops=) > T4(Resp=Y%DF=Y%W=0%ACK=O%Flags=R%Ops=) > T5(Resp=Y%DF=Y%W=0%ACK=S++%Flags=AR%Ops=) > T6(Resp=Y%DF=Y%W=0%ACK=O%Flags=R%Ops=) > T7(Resp=Y%DF=N%W=0%ACK=O%Flags=BA%Ops=) > T7(Resp=Y%DF=Y%W=0%ACK=S++%Flags=AR%Ops=) > PU(Resp=Y%DF=N%TOS=C0%IPLEN=164%RIPTL=148%RID=E%RIPCK=E%UCK=E%ULEN=134%D > AT=E) > > > In this example, nmap is no clever enough to guess the OS. But to > completely fool nmap to give a false OS like (Play Station, Sega > Dreamcast,etc), you would need a kernel patch/ module..... > > Nawapong Nakjang > IT Security Specialist > Security Team, Network Operation Center > KSC Commercial Internet Co, Ltd. > E-Mail: [EMAIL PROTECTED] > > > -----Original Message----- > From: vincent [mailto:[EMAIL PROTECTED] > Sent: Sunday, July 06, 2003 1:42 AM > To: [EMAIL PROTECTED] > Subject: Tweaking /proc to avoid fingerprinting > > > > I was watching some traffic and trying to figure out from what OS > the packets came from by their TTL, Window Size, etc. Since then > I have been changing around just about every proc entry trying to > confuse some of the tools that pull these values. And it works fine for > tools like disco, p0f, but nmap is still to clever. Is it possible to > fool nmap > without using any types of kernel mods, or iptables filtering? > > Also something else seems odd to me I have > /proc/sys/net/ipv4/icmp_echo_ignore_all > set to 1 but still reply to pings. > > The ping problem I'll probably find within another few minutes, > but searching for filtering with /proc entries is difficult due to all > the > iptables scripts with keywords. Thanks in advance if you have any > documentation or advice. > > ------------------------------------------------------------------------ > --- > Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top > analysts! > The Gartner Group just put Neoteris in the top of its Magic Quadrant, > while InStat has confirmed Neoteris as the leader in marketshare. > > Find out why, and see how you can get plug-n-play secure remote access > in > about an hour, with no client, server changes, or ongoing maintenance. > > Visit us at: http://www.neoteris.com/promos/sf-6-9.htm > ------------------------------------------------------------------------ > ---- > > > --------------------------------------------------------------------------- > Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top analysts! > The Gartner Group just put Neoteris in the top of its Magic Quadrant, > while InStat has confirmed Neoteris as the leader in marketshare. > > Find out why, and see how you can get plug-n-play secure remote access in > about an hour, with no client, server changes, or ongoing maintenance. > > Visit us at: http://www.neoteris.com/promos/sf-6-9.htm > ---------------------------------------------------------------------------- > --------------------------------------------------------------------------- Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top analysts! The Gartner Group just put Neoteris in the top of its Magic Quadrant, while InStat has confirmed Neoteris as the leader in marketshare. Find out why, and see how you can get plug-n-play secure remote access in about an hour, with no client, server changes, or ongoing maintenance. Visit us at: http://www.neoteris.com/promos/sf-6-9.htm ----------------------------------------------------------------------------
