From owner-freebsd-questions@FreeBSD.ORG Tue Feb 9 01:04:35 2010 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 6CBB4106566B for ; Tue, 9 Feb 2010 01:04:35 +0000 (UTC) (envelope-from cswiger@mac.com) Received: from asmtpout026.mac.com (asmtpout026.mac.com [17.148.16.101]) by mx1.freebsd.org (Postfix) with ESMTP id 57EAE8FC16 for ; Tue, 9 Feb 2010 01:04:35 +0000 (UTC) MIME-version: 1.0 Content-transfer-encoding: 7BIT Content-type: text/plain; charset=us-ascii Received: from cswiger1.apple.com ([17.209.4.71]) by asmtp026.mac.com (Sun Java(tm) System Messaging Server 6.3-8.01 (built Dec 16 2008; 32bit)) with ESMTPSA id <0KXJ00K14UZLAG20@asmtp026.mac.com> for freebsd-questions@freebsd.org; Mon, 08 Feb 2010 17:04:34 -0800 (PST) X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 spamscore=0 ipscore=0 phishscore=0 bulkscore=0 adultscore=0 classifier=spam adjust=0 reason=mlx engine=5.0.0-0908210000 definitions=main-1002080242 From: Chuck Swiger In-reply-to: <97371e801002070554n7a76a85fnbcce0cea7127cdb9@mail.gmail.com> Date: Mon, 08 Feb 2010 17:04:32 -0800 Message-id: <48C3CF5F-3781-4423-868F-C60A4E20C2BE@mac.com> References: <97371e801002070554n7a76a85fnbcce0cea7127cdb9@mail.gmail.com> To: yavuz X-Mailer: Apple Mail (2.1077) Cc: freebsd-questions@freebsd.org Subject: Re: Cheating OS fingerprinting X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 09 Feb 2010 01:04:35 -0000 On Feb 7, 2010, at 5:54 AM, yavuz wrote: > I want to cheat os fingerprinting tools ( primary nmap) in my freebsd > machine. Assume I am using freebsd 8 and I want to be seen as a windows xp > machine when someone scans my ports. I'll try not to second-guess this goal, but you should be aware that people using OS fingerprinting mechanisms (ie, p0f interface for amavisd) are going to penalize a machine which looks like a Windows box compared with a Unix platform. > In order to determine target host's OS, nmap sends seven TCP/IP crafted > packets (called tests) and waits for the answer. Results are checked against > a database of known results (OS signatures database). If the answer matches > any of the entries in the database, it can guess that the remote OS is the > same that the one in the database. Some Nmap packets are sent to an open > port and the others to a closed port; depending on that results, the remote > OS is guessed. So to cheat nmap, I have to analyze all incomming packets (as > a firewall) and if a test packet coming from a scanner is found I have to > give appropriate reply packet (depending on the os signature I want to use). That's correct. If you simply care about blocking nmap scans, set up firewall rules to block the following TCP th_flag combinations (see /usr/include/netinet/tcp.h): TH_SYN | TH_ECE # nmap T1 # nmap T2 TH_FIN | TH_SYN | TH_PUSH | TH_URG # nmap T3 TH_FIN | TH_URG | TH_PUSH # nmap T7 The other TCP test packets use valid TCP flag combinations and cannot be blocked just by looking at that field. However, you can also check for TCP options being set in the initial SYN packets; nmap uses or used WNMTE. FreeBSD tends to use MNWNNT or MNNSNWNNT with a starting window size of 65535 (but so does other BSD platforms like MacOSX, NetBSD, etc). If you want to look more like Windows XP, you'd want to disable TCP timestamp option but make sure that SACK is enabled; ie, use TCP options like MNNS, MNWNNS, MNWNNSNN and initial window size of 16384. Regards, -- -Chuck