[9778] in bugtraq
Re: Preventing remote OS detection
daemon@ATHENA.MIT.EDU (Salvatore Sanfilippo)
Tue Feb 23 21:56:53 1999
Date: Tue, 23 Feb 1999 11:33:24 +0100
Reply-To: Salvatore Sanfilippo <antirez@SECLAB.COM>
From: Salvatore Sanfilippo <antirez@SECLAB.COM>
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: <36D18C0F.1184C638@pgci.ca>; from Patrick Gilbert on Mon, Feb 22,
1999 at 11:55:43AM -0500
On Mon, Feb 22, 1999 at 11:55:43AM -0500, Patrick Gilbert wrote:
>
> How can we mask our operating system from these tcp/ip stack
> fingerprinting tools while still being functional?
>
Re,
In your article you advice that is possible to
filter SAF using ipfilter. IMHO the best solution
is to patch the kernel (source and GPL are already
implemented for this pourpose.) For exaple in order
to filter SAF:
*** tcp_output.c Fri Nov 20 10:49:53 1998
--- tcp_output2.c Tue Feb 23 11:15:51 1999
***************
*** 1021,1026 ****
--- 1021,1027 ----
t1->urg = 0;
t1->rst = 0;
t1->psh = 0;
+ t1->fin = 0;
t1->ack_seq = htonl(newsk->acked_seq);
t1->doff = sizeof(*t1)/4+1;
t1->res1 = 0;
Kernel patching can also mask window size and
other tcp/ip implementation peculiarity.
In spite of this if a lot of people use the
same kernel patch nmap and queslo will be
able to identify something as follow:
Linux 2.0.36 with yayaye patch 1.0
I think that patching your kernel in order to emulate
win95 tcp/ip stack is the best solution... :)
bye,
antirez
--
Salvatore Sanfilippo
Intesis SECURITY LAB Phone: +39-02-671563.1
Via Settembrini, 35 Fax: +39-02-66981953
I-20124 Milano ITALY Email: antirez@seclab.com
