Re: Nmap Project Idea | GSOC 2015 | Panopticlick | fake fingerprint

[Jacek Wielemborek <d33tah () gmail com>]

W dniu 27.02.2015 o 10:29, Rohit Dua pisze:
> Hello
>
> I'm Rohit from India, aspiring for gsoc-2015(Nmap). This will be my 2nd
> consecutive year for gsoc participation. Previous mediawiki. Project:BUB
> tool <http://tools.wmflabs.org/bub/>
>
> I would like to propose a project relating to fake browser fingerprinting.
>
> Panopticlick obtains browser fingerprints mainly via javascript
> objects(navigator, screen, window etc.)  These objects are easy to fake in
> webkit browsers, without touching the underlying source code of browsers,
> eg.  using *__defineGetter__() *after every*javascriptObjectCleared.*
>
> If we could compile a large dataset of possible values of js object for
> several popular browsers, we could use that to randomize the fingerprint
> for each network request.
>
> The dataset could also contain random http header values etc.
>
> I am building a python library that does somewhat similar.
> https://github.com/rohit-dua/selkie (*in development*) It uses pyqt for
> headless browsing/scraping of webpages. It is a python library that mimics
> different browser fingerprints by faking(randomizing) the values of
> navigator, screen object, headers etc. I also intend to add biometric
> library that mimics humans mouse movements/ keypress statistics for
> clicking links and surfing pages.
>
> I propose to build a similar headless bot that mimics several browsers
> fingerprints and could be used for anonymous scraping of data and/or adding
> a feature of random fingerprint in awesome tor tools. Also to improve
> anonymity location based datasets could be provided(*supported in the above
> library*) as extra/feature.(maybe downloaded fromstatcounter.com)
>
> Thanks
>
> Rohit Dua
>
> IRC:rohit-dua
>
> github: rohit-dua <https://github.com/rohit-dua/>
>
> (8ohit.dua () gmail com)

Hello,

I'm not sure I understand your proposal. The way I get it, you are
thinking of building a Qt interface for Nmap in order to fake javascript
behavior of other browsers. If I am correct, the problem is that this
involves adding a huge dependency to the scanner, so I don't think this
is feasible. Other developers might have different opinions, though.

The alternative would be to use an already existing browser with the aid
of Selenium or PhantomJS. The problem is that - if I recall correctly -
scripts that rely on third-party software don't get bundled with
standard Nmap distributions.

Jacek Wielemborek

Attachment: signature.asc
Description: OpenPGP digital signature

_______________________________________________
Sent through the dev mailing list
https://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/