Monday, October 19, 2009
Confusing the Nmap Scanner
Nmap is a powerful port scanning tool. Like all tools, it can be used for good or ill. I have used it for years, but in a straight forward and trivial way. While doing some online research, I discovered that the -v -sV combination enumerates services quite well. Indeed, it will show you the banner or give you other information. So, I was a bit surprised to find that the version of openSSH running on my systems gave the version number and the OS version. It was likely that nmap was just matching strings in its signatures file. There are a number of ways to throw off a port scanner:
1. Create a firewall rule that drops all packets recognized as coming from a port scanner.
2. Change the strings in the source code and recompile the application.
3. Change the strings in the binary file itself.
In my case, option three was the easiest option because the system I was interested in protecting is a honeypot in a DMZ. Option 2 may or may not work depending upon how old the source code is and what compiler and other build software it requires. Anyway, I fired up khexedit and replaced the version number and OS version characters within the sshd binary. You'll want to try to avoid adding or subtracting characters and just replace them with different characters. After testing, OpenSSH appears to be working fine. I also did the same thing for the vulnftpd.so module for nepenthes. The first time I tried to change the string in the module it broke nepenthes, so you might want to back up the file you are working on before you try this. When I ran a nmap scan on the honeypot, nmap failed to recognize my openSSH version or that nepenthes was running on the box. This trick won't fool a sophisticated attacker, but it might confuse a script kiddie or an automated nmap scan.
1. Create a firewall rule that drops all packets recognized as coming from a port scanner.
2. Change the strings in the source code and recompile the application.
3. Change the strings in the binary file itself.
In my case, option three was the easiest option because the system I was interested in protecting is a honeypot in a DMZ. Option 2 may or may not work depending upon how old the source code is and what compiler and other build software it requires. Anyway, I fired up khexedit and replaced the version number and OS version characters within the sshd binary. You'll want to try to avoid adding or subtracting characters and just replace them with different characters. After testing, OpenSSH appears to be working fine. I also did the same thing for the vulnftpd.so module for nepenthes. The first time I tried to change the string in the module it broke nepenthes, so you might want to back up the file you are working on before you try this. When I ran a nmap scan on the honeypot, nmap failed to recognize my openSSH version or that nepenthes was running on the box. This trick won't fool a sophisticated attacker, but it might confuse a script kiddie or an automated nmap scan.
Labels: foiling signature based enumeration, Fooling the bad guys