Honeypots mailing list archives

Re: Faking OS detection

From: "Alan Neville" <aneville () isiclabs com>
Date: Sat, 1 Feb 2003 17:35:04 -0000

Why not just use blackhole, so no one can even nmap your server/workstation?
Set the following options, so when you reboot, blackhole is initialized on
TCP and UDP ports.
This will stop people from nmaping or attempting any type of stealth scan
against your system.

-bash-2.05b$ cat /etc/sysctl.conf
# $FreeBSD: src/etc/sysctl.conf,v 1.1.2.3 2002/04/15 00:44:13 dougb Exp $
#
#  This file is read when going to multi-user and its contents piped thru
#  ``sysctl'' to adjust kernel values.  ``man 5 sysctl.conf'' for details.
#
net.inet.tcp.blackhole=2
net.inet.udp.blackhole=1
-bash-2.05b$

To enable blackhole without a reboot, do the following:

-bash-2.05b$ uname -a
FreeBSD sciaphobia.net 4.7-RELEASE FreeBSD 4.7-RELEASE #0: Sat Jan 11
13:56:50 GMT 2003     alan () sciaphobia net:/usr/src/sys/compile/JESSICA  i386
-bash-2.05b$ sysctl -a | grep blackhole
net.inet.tcp.blackhole: 0
net.inet.udp.blackhole: 0
-bash-2.05b$ su
Password:
sciaphobia# sysctl -w net.inet.tcp.blackhole=2; sysctl -w
net.inet.udp.blackhole=1
net.inet.tcp.blackhole: 0 -> 2
net.inet.udp.blackhole: 0 -> 1
sciaphobia# exit
-bash-2.05b$

Alan




----- Original Message -----
From: "Franck Veysset" <franck.veysset () rd francetelecom com>
To: <leak () blackout ru>; <honeypots () securityfocus com>
Sent: Monday, February 03, 2003 7:57 AM
Subject: Re: Faking OS detection

There was a tool call "FPF" (stands for FingerPrintFucker) that should
do what you want :
"BSD FingerPrintFucker is a kld for FreeBSD that changes the TCP/IP
stack in order to emulate other OS's against TCP/IP fingerprinting".

But I definitively not recommand using those kind of tool on a real
server !
Hope this help...

-Franck


leak () blackout ru wrote:

I wonder how i can emulate some OS when somebody scans my box with
nmap -O or something else.
Im using FreeBSD on my servers, and currently i block all OS guessing
by setting
options TCP_DROP_SYNFIN in my kernel.

But is it possible to modify TCP/IP stack so it will emulate win2k or
linux or something else?

Thanx




--
Franck VEYSSET  - France Telecom R&D/DTL/SSR
mailto: franck.veysset () rd francetelecom com

Current thread:

Faking OS detection leak (Feb 01)
- Re: Faking OS detection mike (Feb 01)
- RE: Faking OS detection Alberto Gonzalez (Feb 01)
- Re: Faking OS detection Hendrik Scholz (Feb 01)
- Re: Faking OS detection Shafik Yaghmour (Feb 01)
- Re: Faking OS detection Franck Veysset (Feb 03)
  - Re: Faking OS detection Alan Neville (Feb 03)