Subject: [NT] Preventing nmap OS detection for Windows NT Date: Fri, 12 May 2000 10:13:39 +0200 Preventing nmap OS detection for Windows NT -------------------------------------------------------------------------------- SUMMARY Several scanning programs (such as Nmap) can detect the remote host type. For example, such scanning tools can tell an attacker whether the server before them is a Windows NT station, Windows 95, UNIX or Linux. This kind of information is very important, and can be used by remote attackers to limit their search for exploitable vulnerabilities to the Windows NT OS. The following article will guide you to set certain TCP/IP Filters that will make automatic detection harder. Keep in mind, though, that some products such as FTP, SMTP, POP3, and WWW servers show the OS they are running under, when a user connects to them. DETAILS The following registry keys should be modified (this can be done automatically by using the script below) to prevent NMap from easily detecting the OS type: Registry file: Save the following into filter.reg, replacing 'NIC-NAME' with our network card name: [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters] "EnableSecurityFilters"=dword:00000001 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\\Parameters\Tcpip] "TCPAllowedPorts"=hex(7):38,30,00,00 ; http(80) "UDPAllowedPorts"=hex(7):35,32,30,00,00 ; rip(520) "RawIPAllowedProtocols"=hex(7):36,00,31,37,00,00 ; tcp(6) and udp(17) [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\\Parameters\Tcpip] "TCPAllowedPorts"=hex(7):38,30,00,00 ; http(80) "UDPAllowedPorts"=hex(7):35,32,30,00,00 ; rip(520) "RawIPAllowedProtocols"=hex(7):36,00,31,37,00,00 ; tcp(6) and udp(17) ----filter.reg end Note: Your NIC-NAME appears under: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkCards] Explanation: The registry script above disables communication on all ports beside: 38,30 == 80 == http 35,32,30 == 520 == rip Also, it allows only the following protocols: 36 == 6 == tcp 31,37 == 17 == udp This disables remote connections to any port except those specified above. This will prevent OS detection programs from gaining enough information to successfully detect the machine as a Windows NT. Example: Before Filters: $ nmap -v -sT -O 172.17.1.1 Starting nmap V. 2.30BETA17 by fyodor@insecure.org ( www.insecure.org/nmap/ ) Host (172.17.1.1) appears to be up ... good. Initiating TCP connect() scan against (172.17.1.1) Adding TCP port 139 (state Open). Adding TCP port 135 (state Open). The TCP connect scan took 44 seconds to scan 1517 ports. For OSScan assuming that port 135 is open and port 422 is closed and neither are firewalled For OSScan assuming that port 135 is open and port 422 is closed and neither are firewalled For OSScan assuming that port 135 is open and port 422 is closed and neither are firewalled WARNING: OS didn't match until the 3 try Interesting ports on (172.17.1.1): Port State Service 135/tcp open loc-srv 139/tcp open netbios-ssn TCP Sequence Prediction: Class=random positive increments Difficulty=10214 (Worthy challenge) Sequence numbers: 82159285 821671B0 8216F2F9 8217B423 82187D56 82197619 Remote operating system guess: Microsoft NT 4.0 Server SP5 + 2047 Hotfixes Nmap run completed -- 1 IP address (1 host up) scanned in 69 seconds After applying the filters: $ nmap -v -sU -O 172.17.1.1 -p 520 Starting nmap V. 2.30BETA17 by fyodor@insecure.org ( www.insecure.org/nmap/ ) Host (172.17.1.1) appears to be up ... good. Initiating FIN,NULL, UDP, or Xmas stealth scan against (172.17.1.1) The UDP or stealth FIN/NULL/XMAS scan took 0 seconds to scan 1 ports. Interesting ports on (172.17.1.1): Port State Service 520/udp open route Too many fingerprints match this host for me to give an accurate OS guess TCP/IP fingerprint: T5(Resp=Y%DF=N%W=0%ACK=S++%Flags=AR%Ops=) T5(Resp=N) T6(Resp=N) T7(Resp=N) T7(Resp=Y%DF=N%W=0%ACK=S++%Flags=AR%Ops=) PU(Resp=N) Nmap run completed -- 1 IP address (1 host up) scanned in 18 seconds ADDITIONAL INFORMATION We would like to thank Nelson for providing the registry script. ======================================== DISCLAIMER: The information in this bulletin is provided "AS IS" without warranty of any kind. In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.