An Embryonic Counterintelligence Tool

[spb () SCHADENFREUDE MESHUGGENEH NET (Stephen P. Berry)]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Several months ago, I asked if anyone knew of any tools (or projects
to produce tools) that present an aribitrarily-chosen TCP fingerprint
to a scanner.  I had been fiddling around with such a thing, and
was curious if there were any similar widgets already in
a `finished product' state.

I didn't get any suggestions for leads on existing code, but several
people offered to help test any code I might have.

If anyone is interested in testing some ragged, ugly, not-ready-to-
see-the-light-of-day-(and-vice-versa) code, let me know.  I've got
the first rev in a works-consistantly-for-what-I-do-with-it state,
and would like to submit the code to some outside scrutiny.

The widget listens on an interface for traffic that
matches any of a number of signatures characteristic of TCP
fingerprinting scans, and then attempts to respond in such a way
as to lead the scanner to believe the target machine is running
an arbitrarily-specified OS and platform.  It currently reads
fingerprints directly from an nmap(1) config file, and my focus
has been specifically to subvert nmap(1) scans.

Disclaimer:  At this stage, it is more of a cute toy than a badass,
gung-ho, ass-kickin' security application.  I'd like to eventually
make the trigger conditions somewhat more generic and less
scanner-specific.  I'd also like to roll in functionality for
multimple concurrent fingerprints, doing selective TTL decrementing
and sending ICMP_UNREACHables---so the widget could appear to be
an entire network.

In addition to the code for the widget in question, you'll need
an *BSD system to run it on.  I've been developing on OpenBSD,
but the other BSDs should work fine as well[0].  In addition to
the OS itself, you should have some sort of packet filter---I
suggest ipf(8) which, convieniently, comes with OpenBSD.

If you're interested in testing, drop me a line.  I'm currently putting
together some documentation for the code, and expect to have it done
this weekend or sometime next week.

- -Steve

- -----
0     The widget uses BPF.  Although my development has been done on
      OpenBSD, with some testing on FreeBSD, it should work on
      most systems implimenting BPF.
      Future revs will probably support other systems---the code for
      the fingerprint-foiling widget is just a set of custom callbacks
      for a small, generic libpcap-based IDS I'm fiddling with.  Since
      everything but the bits for writing ether frames to the wire
      is portable, it would be nice to support non-BPF methods.
      On the other hand, BPF rocks and I have to fight back waves of
      nausea every time I think about DLPI[1]....
1     At least as implemented under Solaris.  Mind you, the code I'm
      talking about does a lot of filtering and packet witing in luser space,
      so it's a bit of a pig anyway.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.1 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE4gBBTG3kIaxeRZl8RAiPVAJ9WLHUReRF0/i8Bk1iIr2ppqpe3DwCg2gDl
1wdpf5WThDhWCqO7Zp80ZVg=
=bX1R
-----END PGP SIGNATURE-----