OS Fingerprint

OS Fingerprint

[Rodre Ghorashi-Zadeh]

Hello,

Does anybody on this list have a rule that I can use to change the OS 
fingerprint of all packets leaving my DMZ? Thanks in advance.

®odre

_________________________________________________________________
MSN 8 with e-mail virus protection service: 2 months FREE*  
http://join.msn.com/?page=features/virus&pgmarket=en-ca&RU=http%3a%2f%2fjoin.msn.com%2f%3fpage%3dmisc%2fspecialoffers%26pgmarket%3den-ca

Re: OS Fingerprint

[Antony Stone]

On Tuesday 18 November 2003 10:05 am, Rodre Ghorashi-Zadeh wrote:

> Hello,
>
> Does anybody on this list have a rule that I can use to change the OS
> fingerprint of all packets leaving my DMZ? Thanks in advance.

This is not a simple thing to do, it involves mucking around with the way the 
TCP/IP stack works inside the kernel, and as far as I know it can't be done 
by a router disguising another machine; it needs to be done on the machine 
itself which you are trying to disguise.

Try http://voodoo.somoslopeor.com/papers/nmap.html#LSOLUTIONS for some 
possible ways to achieve it.

Antony.

-- 

Documentation is like sex:
when it's good, it's very very good;
when it's bad, it's still better than nothing.

                                                     Please reply to the list;
                                                           please don't CC me.

Re: OS Fingerprint

[Chris Brenton]

On Tue, 2003-11-18 at 05:05, Rodre Ghorashi-Zadeh wrote:
>
> Does anybody on this list have a rule that I can use to change the OS 
> fingerprint of all packets leaving my DMZ? Thanks in advance.

Os passive fingerprinting is typically done with ICMP type 8's as well
as TCP SYN packets. Its possible to do it with SYN/ACKs, but its not
easy.

You could use iptables to rewrite the TTL. That usually the first value
people key in on to do OS detection. That, and its something you could
do to "all packets" as you require. It will not fool everyone, but any
other changes will only be applicable to certain packets.

HTH,
C

Re: OS Fingerprint

[Maciej Soltysiak]

> Os passive fingerprinting is typically done with ICMP type 8's as well
> as TCP SYN packets. Its possible to do it with SYN/ACKs, but its not
> easy.
Read documentation about xprobe2. It describes the techniques used
by this modular os fingerprinting scanner.

http://www.sys-security.com/html/projects/X.html

The most often used characteristics are explaind in the documentation
of the configuration file of xprobe2.

Including ttl of icmp issued by udp packets sent to closed ports,
invalid checksum in older *bsd, the amount of data echoed back in
icmp errors. Echoing of flags in various headers, etc...


Regards,
Maciej

Re: OS Fingerprint

[hclfm]

[-- Attachment #1: Type: text/html, Size: 2345 bytes --]

OS Fingerprint

[Vlado Had]

hi, could somebody help me, how can i change
osfingerprint in packets?
thanks


		
__________________________________ 
Do you Yahoo!? 
Take Yahoo! Mail with you! Get it on your mobile phone. 
http://mobile.yahoo.com/maildemo 

Re: OS Fingerprint

[Aleksandar Milivojevic]

Vlado Had wrote:
> hi, could somebody help me, how can i change
> osfingerprint in packets?

Take a look at:

http://voodoo.somoslopeor.com/papers/nmap.html

Also, properly configuring firewall (by doing TCP flags checks) might
also prevent nmap from easilly detecting OS you are running.

-- 
Aleksandar Milivojevic <amilivojevic@pbl.ca>    Pollard Banknote Limited
Systems Administrator                           1499 Buffalo Place
Tel: (204) 474-2323 ext 276                     Winnipeg, MB  R3T 1L7

RE: OS Fingerprint

[Daniel Chemko]

Vlado Had wrote:
> hi, could somebody help me, how can i change
> osfingerprint in packets?
> thanks

Do some homework. Basically a scanner uses inherent flaws in a packet
response to determine the destination machine, but it could also use the
fingerprint of the services running on the PC. Ex. if I implement 100%
faking on the networking part of my stealthing, but leave apache open,
the apache could say Redhat Linux blahblahblah and give it all away to
the hacker. It isn't just 'change TOS to random', or MSS to y, or block
all n packets to port q. Those are some OS fingerprint examples, but the
technique is a lot more detailed. If in doubt, tear open the nmap code!

Re: OS Fingerprint

[Bryan Shake]

[-- Attachment #1: Type: text/plain, Size: 1460 bytes --]

On 11/29/04 17:12, Daniel Chemko wrote:
> Vlado Had wrote:
> 
>>hi, could somebody help me, how can i change
>>osfingerprint in packets?
>>thanks
> 
> 
> Do some homework. Basically a scanner uses inherent flaws in a packet
> response to determine the destination machine, but it could also use the
> fingerprint of the services running on the PC. Ex. if I implement 100%
> faking on the networking part of my stealthing, but leave apache open,
> the apache could say Redhat Linux blahblahblah and give it all away to
> the hacker. It isn't just 'change TOS to random', or MSS to y, or block
> all n packets to port q. Those are some OS fingerprint examples, but the
> technique is a lot more detailed. If in doubt, tear open the nmap code!
>

The IP Personality patch may be a solution, although it could only do so 
much as pointed out above (running network processes giving you away, 
etc) ... "http://ippersonality.sourceforge.net/"

Unfortunately, it doesn't appear to be actively maintained any longer.. 
  Linux 2.4.18 and iptables 1.2.2 were the last official releases, with 
a 2.4.20 patch here that doesn't seem to have ever made it onto the 
official download page.
"http://sourceforge.net/tracker/index.php?func=detail&aid=647045&group_id=7557&atid=307557" 


Additionaly, some OS fingerprinting tools such as p0f can be tricked by 
carefully modifying sysctl values such as ip_default_ttl, etc as they 
rely on matching a certain profile.

Bryan

[-- Attachment #2: S/MIME Cryptographic Signature --]
[-- Type: application/x-pkcs7-signature, Size: 2761 bytes --]

RE: OS Fingerprint

[Hudson Delbert J Contr 61 CS/SCBN]

[-- Attachment #1: Type: text/plain, Size: 1273 bytes --]


daniel,

wow....the actual laundry list of activities and techniques required to
harden
any specific system from telling the world what os and apps are running is
REALLY
beyond the scope of the list.

or look at dsniff@monkey.org (that dug song's a pretty smart guy)

Vlad,

	you have a LOT of reading and research to do....

~piranha



-----Original Message-----
From: netfilter-bounces@lists.netfilter.org
[mailto:netfilter-bounces@lists.netfilter.org]On Behalf Of Daniel Chemko
Sent: Monday, November 29, 2004 2:12 PM
To: Vlado Had; netfilter@lists.netfilter.org
Subject: RE: OS Fingerprint


Vlado Had wrote:
> hi, could somebody help me, how can i change
> osfingerprint in packets?
> thanks

Do some homework. Basically a scanner uses inherent flaws in a packet
response to determine the destination machine, but it could also use the
fingerprint of the services running on the PC. Ex. if I implement 100%
faking on the networking part of my stealthing, but leave apache open,
the apache could say Redhat Linux blahblahblah and give it all away to
the hacker. It isn't just 'change TOS to random', or MSS to y, or block
all n packets to port q. Those are some OS fingerprint examples, but the
technique is a lot more detailed. If in doubt, tear open the nmap code!

Re: OS Fingerprint

[谷子]

On 11/29/04 17:12, Daniel Chemko wrote:
> Vlado Had wrote:
> 
>>hi, could somebody help me, how can i change
>>osfingerprint in packets?
>>thanks
> 
> 
> Do some homework. Basically a scanner uses inherent flaws in a packet
> response to determine the destination machine, but it could also use the
> fingerprint of the services running on the PC. Ex. if I implement 100%
> faking on the networking part of my stealthing, but leave apache open,
> the apache could say Redhat Linux blahblahblah and give it all away to
> the hacker. It isn't just 'change TOS to random', or MSS to y, or block
> all n packets to port q. Those are some OS fingerprint examples, but the
> technique is a lot more detailed. If in doubt, tear open the nmap code!
>
>
>The IP Personality patch may be a solution, although it could only do so 
>much as pointed out above (running network processes giving you away, 
>etc) ... "http://ippersonality.sourceforge.net/"

>
>Unfortunately, it doesn't appear to be actively maintained any longer.. 
 > Linux 2.4.18 and iptables 1.2.2 were the last official releases, with 
>a 2.4.20 patch here that doesn't seem to have ever made it onto the 
>official download page.
>"http://sourceforge.net/tracker/index.php?func=detail&aid=647045&group_id=7557&atid=307557" 


>Additionaly, some OS fingerprinting tools such as p0f can be tricked by 
>carefully modifying sysctl values such as ip_default_ttl, etc as they 
>rely on matching a certain profile.

>Bryan


but ippersonality can't support kernel 2.4.27 and iptables 1.2.11?