Re: Preventing remote OS detection

[antirez () SECLAB COM (Salvatore Sanfilippo)]

On Mon, Feb 22, 1999 at 11:55:43AM -0500, Patrick Gilbert wrote:
> How can we mask our operating system from these tcp/ip stack
> fingerprinting tools while still being functional?

Re,

        In your article you advice that is possible to
        filter SAF using ipfilter. IMHO the best solution
        is to patch the kernel (source and GPL are already
        implemented for this pourpose.) For exaple in order
        to filter SAF:

*** tcp_output.c        Fri Nov 20 10:49:53 1998
--- tcp_output2.c       Tue Feb 23 11:15:51 1999
***************
*** 1021,1026 ****
--- 1021,1027 ----
        t1->urg = 0;
        t1->rst = 0;
        t1->psh = 0;
+       t1->fin = 0;
        t1->ack_seq = htonl(newsk->acked_seq);
        t1->doff = sizeof(*t1)/4+1;
        t1->res1 = 0;

        Kernel patching can also mask window size and
        other tcp/ip implementation peculiarity.

        In spite of this if a lot of people use the
        same kernel patch nmap and queslo will be
        able to identify something as follow:

                Linux 2.0.36 with yayaye patch 1.0

        I think that patching your kernel in order to emulate
        win95 tcp/ip stack is the best solution... :)

bye,
antirez

--
Salvatore Sanfilippo
Intesis SECURITY LAB            Phone: +39-02-671563.1
Via Settembrini, 35             Fax: +39-02-66981953
I-20124 Milano  ITALY           Email: antirez () seclab com