[OSFP] a solution against 'xprobe2' and 'nmap -O' ??

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View
Hi there,

I'm looking for a solution that can make impossible to a hacker to get
the OS version of my servers by FringerPrinting (using for example 'nmap
-O' or 'xprobe2'). Anyone who knows an efficient mean ?? I heared about
IP personnality for Linux, anyone who tested it ? There is some tools
for windows ?

Thanks in advance,


Re: [OSFP] a solution against 'xprobe2' and 'nmap -O' ??

On 2005-05-23, Amine Elleuch wrote:

Quoted text here. Click to load it

It's not so much the OS version they are after, but the versions of the
applications that sit listening on various ports. Who cares if it's running
Fedora Core something-or-another, if it's running Proftpd 1.2.9 or an older
b0rked version of Openssl is advertising itself in everything it's linked

Quoted text here. Click to load it

If you're worried about scans as a whole, the netfilter patch-o-matic has some
cool features you may want to look into, but it requires patching your kernel
and recompiling to get the additional iptables kmods. However, it's painless
and I've since made it a part of my default setup. Here's the ones I've loaded
now on the gateway:

You might be able to use 'psd', a portscan match module to flag & drop scan
packets. nmap I think is easier to catch, because I find that sometimes my
nmap probes will get dropped, but so far xprobe2 has been going thru
untouched, at least on the places I've used it.

For Windows? I don't think they have such cool toys ;)
Anyways, the large number of default open ports on a Windows box almost always
gives it away: 1024-27, 445, 5000, etc...

1 Copy M$ Windows XP...$200; 1 Anti-virus ...$80; 2 Third-
party firewalls....$220; 1 Visa Credit Stolen from Win XP
machine when hacked.....$50,000; 2 Anti-Spywares...$160;
Never worrying about this crap because I use Linux..Priceless

Re: [OSFP] a solution against 'xprobe2' and 'nmap -O' ??

Quoted text here. Click to load it

This can be very useful information since different compilations of the
same code or even running the same binary under different kernels can
put the same variables at different addresses in memory, which makes
writing exploits harder.

Feel free to correct my English
Stanislaw Klekot

Re: a solution against 'xprobe2' and 'nmap -O' ??

Quoted text here. Click to load it

Have a look at your sysctl options

Quoted text here. Click to load it

Have a look in the registry


also dropping NMAP'esq packets that resemble scans will help (SYN /
NULL) etc.


Site Timeline