1

I would like to modify Win OS banner to defeat OS detection from scanning tools like Nmap for example. Although, I know that Nmap does not take into account just the banner to do OS detection.

tech_enthusiast
  • 435
  • 1
  • 5
  • 19
free
  • 11
  • 2

1 Answers1

3

I suppose you're talking about the OS Fingerprint, which used to be a simple OS File that you could modify or replace.

However, with newer scan techniques, and combined scan techniques, modification of the fingerprint will no longer be sufficient to effectively hide your OS from nmap.

For example, the scanner looks at some TCP Properties, like the TTL and TCP Window size:

Operating System                      Time To Live  TCP Window Size
Linux (Kernel 2.4 and 2.6)            64            5840
Google Linux                          64            5720
FreeBSD                               64            65535
Windows XP                            128           65535
Windows Vista and 7 (Server 2008)     128           8192
iOS 12.4 (Cisco Routers)              255           4128

Then again, there's also "logic", if you have IIS or Windows RDS running, you're probably running Windows, if an NGINX banner is found, you're likely running Linux.

So in order to effectively hide your operating system from an attacker, you will need to hide banners from several services in order to get the desired effect.

Best would be to perform scans yourself, and take down identifiable banners one by one.

Nomad
  • 2,359
  • 2
  • 11
  • 23
  • 1
    One way would be to virtualize the system you want to appear as and have it bind directly to the network interface. That would allow trivial fingerprint spoofability at the expense of some context switching and virtualized network stack overhead. – forest Mar 31 '18 at 05:46
  • True, good call. However, the 'real' system will still need to have ports open that can leak info. So OP should still check the banners on those. Or even the mixed setup you describe can be guessed. – Nomad Mar 31 '18 at 12:00
  • 1
    That's true. I was thinking more of mitigating networking stack fingerprinting in particular, as application-level fingerprinting is much easier to solve on a case-by-case basis. – forest Apr 01 '18 at 01:06