Honeypots mailing list archives
Re: Faking OS detection
From: Hendrik Scholz <hscholz () raisdorf net>
Date: Sat, 1 Feb 2003 16:27:17 +0100
Hi! On Sat, 1 Feb 2003 05:44:59 +0300 leak () blackout ru wrote:
I wonder how i can emulate some OS when somebody scans my box with nmap -O or something else. Im using FreeBSD on my servers, and currently i block all OS guessing by setting options TCP_DROP_SYNFIN in my kernel.
nmap is using "brute force" to detect the operation system. It uses a standard set of replies to judge from. To confuse nmap just block certain nmap packets or modify the response.
But is it possible to modify TCP/IP stack so it will emulate win2k or linux or something else?
Most obvious things that come to mind when I want to identify an operating system is the TTL which was set when the packet was sent, the window size, tcp options and the DF bit. In FreeBSD you can use sysctl to set variables like net.inet.ip.ttl: 64 net.inet.tcp.sendspace: 32768 net.inet.tcp.recvspace: 65536 to variables known from other operating systems (i.e. ttl 128 for most Windows systems). I'm just writing a passive os fingerprinting daemon that uses TCP SYN and SYN/ACK packets to determine the operating system. Using the order of the tcp options it is in some case possible to detect the operating system. The method the IP ID is set (increment by 1, random postitive increments, increments by n*256, truely random) can contribute to OS identification, i.e. Linux 2.4 sets IP ID 0 for several types of packets. In case your are interested in my fingerprinting daemon take a look at http://www.raisdorf.net/projects/pfprintd/ Hendrik -- Hendrik Scholz - <hscholz () raisdorf net> - http://raisdorf.net/ drag me, drop me - treat me like an object
Current thread:
- Faking OS detection leak (Feb 01)
- Re: Faking OS detection mike (Feb 01)
- RE: Faking OS detection Alberto Gonzalez (Feb 01)
- Re: Faking OS detection Hendrik Scholz (Feb 01)
- Re: Faking OS detection Shafik Yaghmour (Feb 01)
- Re: Faking OS detection Franck Veysset (Feb 03)
- Re: Faking OS detection Alan Neville (Feb 03)