i have a 2.6.4 kernel with grsecurity
if "echo 1 > /proc/...grsecurity/rand_ip_id"
then nmap will say that is a grsecurity kernel with 1000HZ patch
if "echo 0 > /proc/...grsecurity/rand_ip_id"
then nmap will not detect that it is a grsec kernel
also if "echo 0 > /proc/../tcp_timestamps"
then nmap will also detect a grsec kernel
and this option is exactly to stop os fingerprint and uptime detection!
grsecurity and nmap os deteciton
2 posts
• Page 1 of 1
grsecurity and nmap os deteciton
by andy00 » Fri Apr 16, 2004 2:53 pm
- andy00
- Posts: 2
- Joined: Fri Apr 16, 2004 2:45 pm
by fwiffo » Fri Apr 23, 2004 8:17 am
In fact it will stop OS and uptime detection (not in all cases btw), but won't stop detecting that this is a grsec kernel, since those listed are things done only by this patch in a specific way 
Of course there are other ways to stop even this and other detections, and one that I've read recently was pretty good...
IMHO a sysadmin should carefully look at all the specific things that those programs are looking at, for OS/Various checks, and change what is needed accordingly, to completely fool them, even the services should be modified, since another step to indentify a machine is of course by the daemons that the machine is running...If one does such modification only on one machine, and can mask things pretty good, I hardly believe that one can guess what you're running, but it's still not impossible, one have only to do better research.
In conclusion (IMHO), there isn't an universal way to fool those programs, since even in the best case, something is left behind that will unmask the identity of the machine.....If not today, tomorrow, but someone will find the difference, at least until something better will appear, but I can't discuss of anything that will do or will be done, since I'm not an hacker nor an experienced programmer/sysadmin
P.S.: If I find the url or remember it (relative to fingerprinting fooling) I will post it, in any case, I wish you good luck, and a good research, since this is an intriguing argument!
Of course there are other ways to stop even this and other detections, and one that I've read recently was pretty good...
IMHO a sysadmin should carefully look at all the specific things that those programs are looking at, for OS/Various checks, and change what is needed accordingly, to completely fool them, even the services should be modified, since another step to indentify a machine is of course by the daemons that the machine is running...If one does such modification only on one machine, and can mask things pretty good, I hardly believe that one can guess what you're running, but it's still not impossible, one have only to do better research.
In conclusion (IMHO), there isn't an universal way to fool those programs, since even in the best case, something is left behind that will unmask the identity of the machine.....If not today, tomorrow, but someone will find the difference, at least until something better will appear, but I can't discuss of anything that will do or will be done, since I'm not an hacker nor an experienced programmer/sysadmin
P.S.: If I find the url or remember it (relative to fingerprinting fooling) I will post it, in any case, I wish you good luck, and a good research, since this is an intriguing argument!
- fwiffo
- Posts: 10
- Joined: Fri Mar 12, 2004 6:50 pm
2 posts
• Page 1 of 1