Avoid NMAP OS detection

Hmmm…. someone asked me if there was any way to protect a target from, say, NMAP OS detection. I didn’t know and a bit of searching pointed me here:

http://www.irongeek.com/i.php?page=security/osfuscate-change-your-windows-os-tcp-ip-fingerprint-to-confuse-p0f-networkminer-ettercap-nmap-and-other-os-detection-tools

Which sounded interesting, but also gave me a few pointers. I trawled HKLM\System\CurrentControlSet\Services\Tcpip but couldn’t see anything that looked like it was really usefully editable (or I was worried that it would completely mess up the networking). I tried changing this value- …\Parameters\TcpWindowSize and it looks like this has done it. If the value is set to (Decimal) 64240, my test box is Windows XP. It also lists 21 open ports in green. Change the value to 64241, NMAP no longer has any real idea what OS I’m running (although it does think maybe it’s an i686 Windows OS) and the number of open ports in green drops to 17.

Of course, I have no idea what impact this has on a machine- this link http://technet.microsoft.com/en-us/library/bb463205.aspx– explains what that value does but it could be doing something ‘orrible so change it at your own risk. However, it’s quite an easy way to hide your machine from NMAP OS scans- I’ve tried NMAP with a few aggressive scan options and none of them seem to work. At the very least, it’s a quick way to guard against casual port scans.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s