Date: Mon, 08 Feb 2010 17:04:32 -0800 From: Chuck Swiger <cswiger@mac.com> To: yavuz <sakncli@gmail.com> Cc: freebsd-questions@freebsd.org Subject: Re: Cheating OS fingerprinting Message-ID: <48C3CF5F-3781-4423-868F-C60A4E20C2BE@mac.com> In-Reply-To: <97371e801002070554n7a76a85fnbcce0cea7127cdb9@mail.gmail.com> References: <97371e801002070554n7a76a85fnbcce0cea7127cdb9@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Feb 7, 2010, at 5:54 AM, yavuz wrote: > I want to cheat os fingerprinting tools ( primary nmap) in my freebsd > machine. Assume I am using freebsd 8 and I want to be seen as a windows xp > machine when someone scans my ports. I'll try not to second-guess this goal, but you should be aware that people using OS fingerprinting mechanisms (ie, p0f interface for amavisd) are going to penalize a machine which looks like a Windows box compared with a Unix platform. > In order to determine target host's OS, nmap sends seven TCP/IP crafted > packets (called tests) and waits for the answer. Results are checked against > a database of known results (OS signatures database). If the answer matches > any of the entries in the database, it can guess that the remote OS is the > same that the one in the database. Some Nmap packets are sent to an open > port and the others to a closed port; depending on that results, the remote > OS is guessed. So to cheat nmap, I have to analyze all incomming packets (as > a firewall) and if a test packet coming from a scanner is found I have to > give appropriate reply packet (depending on the os signature I want to use). That's correct. If you simply care about blocking nmap scans, set up firewall rules to block the following TCP th_flag combinations (see /usr/include/netinet/tcp.h): TH_SYN | TH_ECE # nmap T1 <no flags set> # nmap T2 TH_FIN | TH_SYN | TH_PUSH | TH_URG # nmap T3 TH_FIN | TH_URG | TH_PUSH # nmap T7 The other TCP test packets use valid TCP flag combinations and cannot be blocked just by looking at that field. However, you can also check for TCP options being set in the initial SYN packets; nmap uses or used WNMTE. FreeBSD tends to use MNWNNT or MNNSNWNNT with a starting window size of 65535 (but so does other BSD platforms like MacOSX, NetBSD, etc). If you want to look more like Windows XP, you'd want to disable TCP timestamp option but make sure that SACK is enabled; ie, use TCP options like MNNS, MNWNNS, MNWNNSNN and initial window size of 16384. Regards, -- -Chuck
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?48C3CF5F-3781-4423-868F-C60A4E20C2BE>