[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Nmap fingerprinting
On 09 Aug 2001 13:42:00 -0300, Papo Napolitano wrote:
> [root@bcu /root]# ./nmap -sU -O 10.0.0.1
>
> Starting nmap V. 2.54BETA28 ( www.insecure.org/nmap/ )
> Warning: OS detection will be MUCH less reliable because we did not find at
> least 1 open and 1 closed TCP port
> Interesting ports on gw (10.0.0.1):
> (The 1452 ports scanned but not shown below are in state: closed)
> Port State Service
> 514/udp open syslog
>
> Remote OS guesses: MacOS 8.5, OpenBSD 2.8 (X86), OpenBSD 2.9-beta through
> release (X86), OpenBSD 2.9-stable
You are using nmap from the internal side of the network. And usually a
tightened firewall doen't allow access to a UDP service listening on
the external NIC of itself.
You should really give it a hard think: What are you going to gain by
hiding OS information from a potential cracker and what are the
benefits/drawbacks to your security? Hide or not hide, that is the
question ;)
>
> Nmap run completed -- 1 IP address (1 host up) scanned in 24 seconds
>
>
> The rules work ok for TCP, but what about UDP scans?
> Changing "proto tcp" to "proto tcp/udp" would do the trick?
nope since UDP doesn't know a heck about TCP flags so you'll end up with
an IPF error.
> I'm asking before messing up with my office firewall ;)
>
> Tnx.
>
>
> ----- Original Message -----
> From: "Michael Angelo Vien" <michaelvien@hotmail.com>
> To: "Dean Carey" <dcarey@dolfin.com>; <misc@openbsd.org>
> Sent: Wednesday, August 08, 2001 3:21 AM
> Subject: Re: Nmap fingerprinting
>
>
> > block in log quick on ne3 proto tcp from any to any flags FUP
> > block in log quick on ne3 proto tcp from any to any flags SFUP
> > block in log quick on ne3 proto tcp from any to any flags SF/SFRA
> > block in log quick on ne3 proto tcp from any to any flags /SFRA
> >
> > block return-rst in log quick on ne3 proto tcp all
> > block return-icmp-as-dest(port-unr) in log on ne3 all
> >
> > Works on both NMAP and QUESO
>
>
--
/saad