Re: OS Detection Question

["Mr. Man" <mrman () darkside org>]

On Wed, 3 May 2000, John Turner wrote:

> I have searched the net looking for a definitive answer to this question but have come up dry.
>
> QUESTION:
> Is there a way to completely fool (or block) OS detection from scanners (like nmap, queso, etc.) using the Linux OS? 
> What about Windoze?

I believe there are patches available for certain versions of the Linux
Kernel that allow you to fool OS detection tools.  It's mostly a matter of
re-writing the way the IP stack in Linux handles 'odd,' 'irregular,' or
'inappropriate' TCP packets or the default values on connection
negotiations; i.e. certain combinates of TCP header flags, the default TCP
Maximum Segment Size, etc.

Ipfilter be used to block some of the generic forms of OS detection, but
I've never used it with Linux.

> Any insight would be greatly appreciated.

Check the following:
http://lists.bastille-linux.org/pipermail/bastille-linux-discuss/2000-February/001020.html
http://www.pgci.ca/p_fingerprint.html
There was also a decent thread on Bugtraq on the subject back in Feb. of
1999.

I'm sure you should also look at Fyodor's excellent article in Phrack54
(http://phrack.infonexus.com/search.phtml?view&article=p54-9) where he 
discusses methods of OS fingerprint detection.

> John
__
joseph