Monday, October 19, 2009
Confusing the Nmap Scanner
1. Create a firewall rule that drops all packets recognized as coming from a port scanner.
2. Change the strings in the source code and recompile the application.
3. Change the strings in the binary file itself.
In my case, option three was the easiest option because the system I was interested in protecting is a honeypot in a DMZ. Option 2 may or may not work depending upon how old the source code is and what compiler and other build software it requires. Anyway, I fired up khexedit and replaced the version number and OS version characters within the sshd binary. You'll want to try to avoid adding or subtracting characters and just replace them with different characters. After testing, OpenSSH appears to be working fine. I also did the same thing for the vulnftpd.so module for nepenthes. The first time I tried to change the string in the module it broke nepenthes, so you might want to back up the file you are working on before you try this. When I ran a nmap scan on the honeypot, nmap failed to recognize my openSSH version or that nepenthes was running on the box. This trick won't fool a sophisticated attacker, but it might confuse a script kiddie or an automated nmap scan.