|
|
|
|||||||
| Home | Forums | Register | Rules & FAQ | Members List | Arcade | Search | Today's Posts | Mark Forums Read |
| Security Anything involving computer security goes here. |
Other UNIX.COM Threads You Might Find Helpful
|
||||
| Thread | Thread Starter | Forum | Replies | Last Post |
| Linux live cd | shooroop | Linux | 3 | 03-13-2008 10:10 AM |
| S-144: Cisco PIX and ASA Time-to-Live Vulnerability | iBot | Security Advisories (RSS) | 0 | 01-30-2008 01:40 PM |
| openSUSE goes live | iBot | UNIX and Linux RSS News | 0 | 12-01-2007 07:05 AM |
| Piped open not real-time - How would one handle live data? | jjinno | Shell Programming and Scripting | 2 | 08-23-2007 02:18 PM |
| Live CD Linux | Foo Stutz | Forum Support Area for Unregistered Users & Account Problems | 1 | 06-14-2005 06:44 PM |
 |
|
|
Submit Tools | LinkBack | Thread Tools | Search this Thread | Display Modes |
06-20-2005
|
||||
|
||||
time to live
i wondering about the ttl for the sshd on solaris 9 ... i read that you can change it to a different value to fool some OS "fingerprinting" tools such as queso or nmap. the default value is 255, i've tried to set it to 155 and 55 but nmap still see that port 22 is opend. do you know something about that?
Code:
root@xxx # uname -a
SunOS xxx 5.9 Generic_118558-06 sun4u sparc SUNW,Ultra-1
root@xxx # ndd -get /dev/ip ip_def_ttl
255
root@xxx # ndd -set /dev/ip ip_def_ttl 55
root@xxx # ndd -get /dev/ip ip_def_ttl
55
BUT still:
pressytest@gentoo ~ # nmap -v 192.168.133.122
Starting nmap 3.81 ( http://www.insecure.org/nmap/ ) at 2005-06-20 19:48 MEST
Initiating SYN Stealth Scan against 192.168.133.122 [1663 ports] at 19:48
Discovered open port 22/tcp on 192.168.133.122
Increasing send delay for 192.168.133.122 from 0 to 5 due to 18 out of 58 dropped probes since last increase.
Increasing send delay for 192.168.133.122 from 5 to 10 due to max_successful_tryno increase to 4
Increasing send delay for 192.168.133.122 from 10 to 20 due to max_successful_tryno increase to 5
The SYN Stealth Scan took 44.66s to scan 1663 total ports.
Host 192.168.133.122 appears to be up ... good.
Interesting ports on 192.168.133.122:
(The 1662 ports scanned but not shown below are in state: closed)
PORT STATE SERVICE
22/tcp open ssh
MAC Address: 08:00:20:xx:xx:xx (SUN Microsystems)
Nmap finished: 1 IP address (1 host up) scanned in 44.997 seconds
Raw packets sent: 1984 (79.3KB) | Rcvd: 1664 (76.5KB)
pressytest@gentoo ~ #
 greetings PRESSY 
|
| Forum Sponsor | ||
|
|
|
06-20-2005
|
||||
|
||||
|
The idea with fingerprinting is that you know an ip address that seems to be a computer. Now you want to know the brand (Solaris, HP-UX, AIX, etc). Once you know that it is, say, a Solaris box, you then try known Solaris weaknesses. Since, by default, Solaris uses 255 as a TTL, if you see a TTL of 255, it might be Solaris. The trouble is that 255 is the max for TTL, and in the 90's a few OS's got burned with TTL's that were too small. My impression is that most vendors cranked TTL up to the max. If you really feel the need to fiddle with TTL, keep it high. 155 is not too bad. You might regret 55 though.
Changing the TTL is not going to close a port. You're trying to make them think you have a Linix box or something. That way they spend all the time hitting you with Linux attacks rather than Solaris attacks. This is a bunch of jive if you ask me. Keep your Solaris box well patched and then you should not care if the bad guys know it's Solaris. Security by obscurity does not work. But here is a another opinion.
|
|
06-21-2005
|
||||
|
||||
|
thx mate, got it. i read through the link that's a good explanation. i see that it makes no seens on my configuration because:
Code:
pressytest@gentoo ~ # telnet 192.168.133.122 22 Trying 192.168.133.122... Connected to 192.168.133.122. Escape character is '^]'. SSH-2.0-Sun_SSH_1.0.1 exit Connection closed by foreign host. pressytest@gentoo ~ # AND: MAC Address: 08:00:20:xx:xx:xx (SUN Microsystems) thanks again greetings PRESSY
|
|
06-23-2005
|
||||
|
||||
|
Another way
Hi there,
There is another good and fun way to hide any particular services on your box, you may take a look at this portknocking.org, any port scanner is useless against this new "kind of connecting" Cheers,
|
||||
| Google UNIX.COM |
Linear Mode
