Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Solaris and NMAP

0 views
Skip to first unread message

stefan

unread,
Jul 11, 2003, 3:10:20 AM7/11/03
to
Hello

Recently, I have done a portscan on one of our systems with nmap and
found to my surprise that nmap was able to find out a lot of
information :


# nmap -O sun100.abc.efgh.ch

Starting nmap V. 2.54BETA28 ( www.insecure.org/nmap/ )
Interesting ports on sun100.abc.efgh.ch (xxx.yyy.zzz.27):
(The 1541 ports scanned but not shown below are in state: closed)
Port State Service
21/tcp open ftp
22/tcp open ssh
111/tcp open sunrpc
898/tcp open unknown
1521/tcp open ncube-lm
1987/tcp open tr-rsrb-p1
32779/tcp open sometimes-rpc21

Remote operating system guess: Sun Solaris 8 early acces beta through
actual release
Uptime 30.894 days (since Tue Jun 10 11:23:34 2003)

Nmap run completed -- 1 IP address (1 host up) scanned in 49 seconds


Although almost all services in /etc/inetinetd.conf have been
deactivated,
nmap was able to determine the uptime and OS correctly.

Questions:

Which daemon or system part did this information (uptime, OS) deliver
to
nmap ?

How can I hide this information to a port scanner or an other spy
tools ?


I thank you for your efforts.


Stefan Schmid

Akop Pogosian

unread,
Jul 11, 2003, 5:43:37 AM7/11/03
to
stefan <sc...@web.de> wrote:
> Hello


> # nmap -O sun100.abc.efgh.ch

> Questions:

There is a paper on the nmap web site (www.insecure.org) about how
nmap detects the OS types and versions. I haven't read it but from
what I have heard about it, it is non-trivial to thwart nmap's OS
detection. It is using a combination of TCP/IP finger-printing
techniques. Fooling nmap would probably involve modifying the kernel.
But then, once the TCP/IP finger print of that modified kernel is
known, it could be added to nmap's database as belonging to say
"Solaris 8 with module foo". I heard there is a kernel patch or module
for Linux that's designed specifically to fool nmap. You could
configure it to make nmap believe that it's running some other OS, but
I wouldn't want to run that on a production system. I haven't heard of
such thing for Solaris.


-akop

Kjetil Torgrim Homme

unread,
Jul 11, 2003, 9:35:21 AM7/11/03
to
[Akop Pogosian]:

>
> Fooling nmap would probably involve modifying the kernel. But
> then, once the TCP/IP finger print of that modified kernel is
> known, it could be added to nmap's database as belonging to say
> "Solaris 8 with module foo". I heard there is a kernel patch or
> module for Linux that's designed specifically to fool nmap. You
> could configure it to make nmap believe that it's running some
> other OS, but I wouldn't want to run that on a production
> system. I haven't heard of such thing for Solaris.

there are sets of ndd tweaks which will throw off nmap. this looks
like a nice page:

http://secinf.net/info/unix/dubrawsky/913secsol.shtml

--
Kjetil T. | read and make up your own mind
| http://www.cactus48.com/truth.html

0 new messages