From owner-freebsd-security Fri Aug 25 22:18:58 2000 Delivered-To: freebsd-security@freebsd.org Received: from enigma.gctr.net (enigma.gctr.net [208.51.184.100]) by hub.freebsd.org (Postfix) with ESMTP id F2A1D37B423 for ; Fri, 25 Aug 2000 22:18:52 -0700 (PDT) Received: by enigma.gctr.net (Postfix, from userid 1000) id DEC60755A; Sat, 26 Aug 2000 01:18:51 -0400 (EDT) Date: Sat, 26 Aug 2000 01:18:51 -0400 (EDT) From: rob To: Fred Souza Cc: security@freebsd.org Subject: Re: nmap OS detection In-Reply-To: <20000826002656.A6530@torment.secfreak.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Unless I'm mistaken, Nmap remote OS detection use's a tcp packet with the FIN / URG / PUSH flags set. This would explain why you were unable to determine your OS when you had the net.inet.tcp.drop_synfin kernel option set. Pherhaps your router is dropping such packets? Try to plug two machines in to a hub, disable the kernel options and your filtering rules, and then try this again. Hope that helps. Rob On Sat, 26 Aug 2000, Fred Souza wrote: > Hi all, > > I don't know if it's the right place to ask this, but since it's directly > related to security, I think I'm not too wrong. :) > > I've trying to audit my network using nmap, but there's something wrong. > It scans the hosts correctly, but it doesn't detect the remote hosts OSes. > > I was using the kernel option net.inet.tcp.drop_synfin, and it was causing > nmap to not even being able to determine my own localhost OS. After disa- > bling that option, it now can tell I'm using a FreeBSD 4.1 box. > > But it still cannot tell what OSes remote systems run. I've tried to boot > the system without any changes through sysctl, and nothing. Tried to disa- > ble the firewall (ipf), because I thought it could possibly be any configu- > ration mistakes, but no luck. > > I even tried to detect remote OS from outside my network, against lots of > random hosts, and none of those it did so. Any ideas on how to fix that? > > > Thanks in advance, > Fred. > > -- > Watch your code, or it'll get you. > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message