Gregory Pickett

Paper Title

Let's screw with nmap

Abstract

Differences in packet headers allow tools like nmap to fingerprint operating systems. My new approach to packet normalization removes these header differences, and prevents fingerprinting... and prevents it for most hosts on the network.

The proof of concept, IDGuard, is a Linux Kernel module that can be installed as part of the embedded firmware of any Linux-based router to give all the packets flowing through the router the same starting TTL, the same selection of TCP options, and the same TCP option order, causing nmap, and tools like it to fail in their attempt to fingerprint hosts on the network.

In this session, we'll review packet normalization techniques and how they can be applied to the traffic flowing through our switches to make hosts that they support resistant to fingerprinting, even by nmap, demonstrate IDGuard itself on a RouterBoard model RB450 router, and discuss the issues involved, the challenges to overcome, and the obstacles to deploying this in a production environment. More than enough to show you that while it is not currently an existing feature of switches like DHCP and IGMP snooping, it should be.

Speaker Bio

Gregory Pickett, CISSP, GCIA, GPEN, is an Intrusion Analyst for Fortune 100 companies by day and a penetration tester for Hellfire Security by night. As a penetration tester, his primary areas of focus and occasional research are network and host penetration testing with an interest in using background network traffic to target and exploit network hosts using their own traffic against them. He holds a B.S. in Psychology which is completely unrelated but interesting to know. While it does nothing to contribute to how he makes a living, it does demonstrate how screwed up he actually is.