Re: Faking OS detection

[Hendrik Scholz <hscholz () raisdorf net>]

Hi!

On Sat, 1 Feb 2003 05:44:59 +0300
leak () blackout ru wrote:

> I wonder how i can emulate some OS when somebody scans my box with
> nmap -O or something else.
> Im using FreeBSD on my servers, and currently i block all OS guessing
> by setting
> options TCP_DROP_SYNFIN in my kernel.

nmap is using "brute force" to detect the operation system. It uses a
standard set of replies to judge from. To confuse nmap just block
certain nmap packets or modify the response.

> But is it possible to modify TCP/IP stack so it will emulate win2k or
> linux or something else?

Most obvious things that come to mind when I want to identify an
operating system is the TTL which was set when the packet was sent, the
window size, tcp options and the DF bit.
In FreeBSD you can use sysctl to set variables like
net.inet.ip.ttl: 64
net.inet.tcp.sendspace: 32768
net.inet.tcp.recvspace: 65536
to variables known from other operating systems (i.e. ttl 128 for most
Windows systems).
I'm just writing a passive os fingerprinting daemon that uses TCP
SYN and SYN/ACK packets to determine the operating system. Using
the order of the tcp options it is in some case possible to detect
the operating system. The method the IP ID is set (increment by 1,
random postitive increments, increments by n*256, truely random)
can contribute to OS identification, i.e. Linux 2.4 sets IP ID 0
for several types of packets.

In case your are interested in my fingerprinting daemon take a look
at http://www.raisdorf.net/projects/pfprintd/

Hendrik

-- 
Hendrik Scholz - <hscholz () raisdorf net> - http://raisdorf.net/

drag me, drop me - treat me like an object