Re: OS Fingerprint

[Bryan Shake <bshake@vt.edu>]

[-- Attachment #1: Type: text/plain, Size: 1460 bytes --]

On 11/29/04 17:12, Daniel Chemko wrote:
> Vlado Had wrote:
> 
>>hi, could somebody help me, how can i change
>>osfingerprint in packets?
>>thanks
> 
> 
> Do some homework. Basically a scanner uses inherent flaws in a packet
> response to determine the destination machine, but it could also use the
> fingerprint of the services running on the PC. Ex. if I implement 100%
> faking on the networking part of my stealthing, but leave apache open,
> the apache could say Redhat Linux blahblahblah and give it all away to
> the hacker. It isn't just 'change TOS to random', or MSS to y, or block
> all n packets to port q. Those are some OS fingerprint examples, but the
> technique is a lot more detailed. If in doubt, tear open the nmap code!
>

The IP Personality patch may be a solution, although it could only do so 
much as pointed out above (running network processes giving you away, 
etc) ... "http://ippersonality.sourceforge.net/"

Unfortunately, it doesn't appear to be actively maintained any longer.. 
  Linux 2.4.18 and iptables 1.2.2 were the last official releases, with 
a 2.4.20 patch here that doesn't seem to have ever made it onto the 
official download page.
"http://sourceforge.net/tracker/index.php?func=detail&aid=647045&group_id=7557&atid=307557" 


Additionaly, some OS fingerprinting tools such as p0f can be tricked by 
carefully modifying sysctl values such as ip_default_ttl, etc as they 
rely on matching a certain profile.

Bryan

[-- Attachment #2: S/MIME Cryptographic Signature --]
[-- Type: application/x-pkcs7-signature, Size: 2761 bytes --]