* RE: OS Fingerprint
@ 2004-11-29 22:12 Daniel Chemko
2004-11-30 4:02 ` Bryan Shake
0 siblings, 1 reply; 11+ messages in thread
From: Daniel Chemko @ 2004-11-29 22:12 UTC (permalink / raw)
To: Vlado Had, netfilter
Vlado Had wrote:
> hi, could somebody help me, how can i change
> osfingerprint in packets?
> thanks
Do some homework. Basically a scanner uses inherent flaws in a packet
response to determine the destination machine, but it could also use the
fingerprint of the services running on the PC. Ex. if I implement 100%
faking on the networking part of my stealthing, but leave apache open,
the apache could say Redhat Linux blahblahblah and give it all away to
the hacker. It isn't just 'change TOS to random', or MSS to y, or block
all n packets to port q. Those are some OS fingerprint examples, but the
technique is a lot more detailed. If in doubt, tear open the nmap code!
^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: OS Fingerprint
2004-11-29 22:12 OS Fingerprint Daniel Chemko
@ 2004-11-30 4:02 ` Bryan Shake
0 siblings, 0 replies; 11+ messages in thread
From: Bryan Shake @ 2004-11-30 4:02 UTC (permalink / raw)
To: netfilter
[-- Attachment #1: Type: text/plain, Size: 1460 bytes --]
On 11/29/04 17:12, Daniel Chemko wrote:
> Vlado Had wrote:
>
>>hi, could somebody help me, how can i change
>>osfingerprint in packets?
>>thanks
>
>
> Do some homework. Basically a scanner uses inherent flaws in a packet
> response to determine the destination machine, but it could also use the
> fingerprint of the services running on the PC. Ex. if I implement 100%
> faking on the networking part of my stealthing, but leave apache open,
> the apache could say Redhat Linux blahblahblah and give it all away to
> the hacker. It isn't just 'change TOS to random', or MSS to y, or block
> all n packets to port q. Those are some OS fingerprint examples, but the
> technique is a lot more detailed. If in doubt, tear open the nmap code!
>
The IP Personality patch may be a solution, although it could only do so
much as pointed out above (running network processes giving you away,
etc) ... "http://ippersonality.sourceforge.net/"
Unfortunately, it doesn't appear to be actively maintained any longer..
Linux 2.4.18 and iptables 1.2.2 were the last official releases, with
a 2.4.20 patch here that doesn't seem to have ever made it onto the
official download page.
"http://sourceforge.net/tracker/index.php?func=detail&aid=647045&group_id=7557&atid=307557"
Additionaly, some OS fingerprinting tools such as p0f can be tricked by
carefully modifying sysctl values such as ip_default_ttl, etc as they
rely on matching a certain profile.
Bryan
[-- Attachment #2: S/MIME Cryptographic Signature --]
[-- Type: application/x-pkcs7-signature, Size: 2761 bytes --]
^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: OS Fingerprint
@ 2004-11-30 14:15 谷子
0 siblings, 0 replies; 11+ messages in thread
From: 谷子 @ 2004-11-30 14:15 UTC (permalink / raw)
To: netfilter
On 11/29/04 17:12, Daniel Chemko wrote:
> Vlado Had wrote:
>
>>hi, could somebody help me, how can i change
>>osfingerprint in packets?
>>thanks
>
>
> Do some homework. Basically a scanner uses inherent flaws in a packet
> response to determine the destination machine, but it could also use the
> fingerprint of the services running on the PC. Ex. if I implement 100%
> faking on the networking part of my stealthing, but leave apache open,
> the apache could say Redhat Linux blahblahblah and give it all away to
> the hacker. It isn't just 'change TOS to random', or MSS to y, or block
> all n packets to port q. Those are some OS fingerprint examples, but the
> technique is a lot more detailed. If in doubt, tear open the nmap code!
>
>
>The IP Personality patch may be a solution, although it could only do so
>much as pointed out above (running network processes giving you away,
>etc) ... "http://ippersonality.sourceforge.net/"
>
>Unfortunately, it doesn't appear to be actively maintained any longer..
> Linux 2.4.18 and iptables 1.2.2 were the last official releases, with
>a 2.4.20 patch here that doesn't seem to have ever made it onto the
>official download page.
>"http://sourceforge.net/tracker/index.php?func=detail&aid=647045&group_id=7557&atid=307557"
>Additionaly, some OS fingerprinting tools such as p0f can be tricked by
>carefully modifying sysctl values such as ip_default_ttl, etc as they
>rely on matching a certain profile.
>Bryan
but ippersonality can't support kernel 2.4.27 and iptables 1.2.11?
^ permalink raw reply [flat|nested] 11+ messages in thread
* RE: OS Fingerprint
@ 2004-11-29 22:27 Hudson Delbert J Contr 61 CS/SCBN
0 siblings, 0 replies; 11+ messages in thread
From: Hudson Delbert J Contr 61 CS/SCBN @ 2004-11-29 22:27 UTC (permalink / raw)
To: 'Daniel Chemko', Vlado Had, netfilter
[-- Attachment #1: Type: text/plain, Size: 1273 bytes --]
daniel,
wow....the actual laundry list of activities and techniques required to
harden
any specific system from telling the world what os and apps are running is
REALLY
beyond the scope of the list.
or look at dsniff@monkey.org (that dug song's a pretty smart guy)
Vlad,
you have a LOT of reading and research to do....
~piranha
-----Original Message-----
From: netfilter-bounces@lists.netfilter.org
[mailto:netfilter-bounces@lists.netfilter.org]On Behalf Of Daniel Chemko
Sent: Monday, November 29, 2004 2:12 PM
To: Vlado Had; netfilter@lists.netfilter.org
Subject: RE: OS Fingerprint
Vlado Had wrote:
> hi, could somebody help me, how can i change
> osfingerprint in packets?
> thanks
Do some homework. Basically a scanner uses inherent flaws in a packet
response to determine the destination machine, but it could also use the
fingerprint of the services running on the PC. Ex. if I implement 100%
faking on the networking part of my stealthing, but leave apache open,
the apache could say Redhat Linux blahblahblah and give it all away to
the hacker. It isn't just 'change TOS to random', or MSS to y, or block
all n packets to port q. Those are some OS fingerprint examples, but the
technique is a lot more detailed. If in doubt, tear open the nmap code!
^ permalink raw reply [flat|nested] 11+ messages in thread
* OS Fingerprint
@ 2004-11-29 21:57 Vlado Had
2004-11-30 14:21 ` Aleksandar Milivojevic
0 siblings, 1 reply; 11+ messages in thread
From: Vlado Had @ 2004-11-29 21:57 UTC (permalink / raw)
To: netfilter
hi, could somebody help me, how can i change
osfingerprint in packets?
thanks
__________________________________
Do you Yahoo!?
Take Yahoo! Mail with you! Get it on your mobile phone.
http://mobile.yahoo.com/maildemo
^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: OS Fingerprint
@ 2003-11-18 11:14 hclfm
0 siblings, 0 replies; 11+ messages in thread
From: hclfm @ 2003-11-18 11:14 UTC (permalink / raw)
To: netfilter
[-- Attachment #1: Type: text/html, Size: 2345 bytes --]
^ permalink raw reply [flat|nested] 11+ messages in thread
* OS Fingerprint
@ 2003-11-18 10:05 Rodre Ghorashi-Zadeh
2003-11-18 10:57 ` Antony Stone
2003-11-18 14:29 ` Chris Brenton
0 siblings, 2 replies; 11+ messages in thread
From: Rodre Ghorashi-Zadeh @ 2003-11-18 10:05 UTC (permalink / raw)
To: netfilter
Hello,
Does anybody on this list have a rule that I can use to change the OS
fingerprint of all packets leaving my DMZ? Thanks in advance.
®odre
_________________________________________________________________
MSN 8 with e-mail virus protection service: 2 months FREE*
http://join.msn.com/?page=features/virus&pgmarket=en-ca&RU=http%3a%2f%2fjoin.msn.com%2f%3fpage%3dmisc%2fspecialoffers%26pgmarket%3den-ca
^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: OS Fingerprint
2003-11-18 10:05 Rodre Ghorashi-Zadeh
@ 2003-11-18 10:57 ` Antony Stone
2003-11-18 14:29 ` Chris Brenton
1 sibling, 0 replies; 11+ messages in thread
From: Antony Stone @ 2003-11-18 10:57 UTC (permalink / raw)
To: netfilter
On Tuesday 18 November 2003 10:05 am, Rodre Ghorashi-Zadeh wrote:
> Hello,
>
> Does anybody on this list have a rule that I can use to change the OS
> fingerprint of all packets leaving my DMZ? Thanks in advance.
This is not a simple thing to do, it involves mucking around with the way the
TCP/IP stack works inside the kernel, and as far as I know it can't be done
by a router disguising another machine; it needs to be done on the machine
itself which you are trying to disguise.
Try http://voodoo.somoslopeor.com/papers/nmap.html#LSOLUTIONS for some
possible ways to achieve it.
Antony.
--
Documentation is like sex:
when it's good, it's very very good;
when it's bad, it's still better than nothing.
Please reply to the list;
please don't CC me.
^ permalink raw reply [flat|nested] 11+ messages in thread* Re: OS Fingerprint
2003-11-18 10:05 Rodre Ghorashi-Zadeh
2003-11-18 10:57 ` Antony Stone
@ 2003-11-18 14:29 ` Chris Brenton
2003-11-18 15:57 ` Maciej Soltysiak
1 sibling, 1 reply; 11+ messages in thread
From: Chris Brenton @ 2003-11-18 14:29 UTC (permalink / raw)
To: Rodre Ghorashi-Zadeh; +Cc: netfilter
On Tue, 2003-11-18 at 05:05, Rodre Ghorashi-Zadeh wrote:
>
> Does anybody on this list have a rule that I can use to change the OS
> fingerprint of all packets leaving my DMZ? Thanks in advance.
Os passive fingerprinting is typically done with ICMP type 8's as well
as TCP SYN packets. Its possible to do it with SYN/ACKs, but its not
easy.
You could use iptables to rewrite the TTL. That usually the first value
people key in on to do OS detection. That, and its something you could
do to "all packets" as you require. It will not fool everyone, but any
other changes will only be applicable to certain packets.
HTH,
C
^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: OS Fingerprint
2003-11-18 14:29 ` Chris Brenton
@ 2003-11-18 15:57 ` Maciej Soltysiak
0 siblings, 0 replies; 11+ messages in thread
From: Maciej Soltysiak @ 2003-11-18 15:57 UTC (permalink / raw)
To: Chris Brenton; +Cc: Rodre Ghorashi-Zadeh, netfilter
> Os passive fingerprinting is typically done with ICMP type 8's as well
> as TCP SYN packets. Its possible to do it with SYN/ACKs, but its not
> easy.
Read documentation about xprobe2. It describes the techniques used
by this modular os fingerprinting scanner.
http://www.sys-security.com/html/projects/X.html
The most often used characteristics are explaind in the documentation
of the configuration file of xprobe2.
Including ttl of icmp issued by udp packets sent to closed ports,
invalid checksum in older *bsd, the amount of data echoed back in
icmp errors. Echoing of flags in various headers, etc...
Regards,
Maciej
^ permalink raw reply [flat|nested] 11+ messages in thread
end of thread, other threads:[~2004-11-30 14:21 UTC | newest]
Thread overview: 11+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2004-11-29 22:12 OS Fingerprint Daniel Chemko
2004-11-30 4:02 ` Bryan Shake
-- strict thread matches above, loose matches on Subject: below --
2004-11-30 14:15 谷子
2004-11-29 22:27 Hudson Delbert J Contr 61 CS/SCBN
2004-11-29 21:57 Vlado Had
2004-11-30 14:21 ` Aleksandar Milivojevic
2003-11-18 11:14 hclfm
2003-11-18 10:05 Rodre Ghorashi-Zadeh
2003-11-18 10:57 ` Antony Stone
2003-11-18 14:29 ` Chris Brenton
2003-11-18 15:57 ` Maciej Soltysiak
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.