Faking/Spoofing nmap's OS reply?

["elad" <hax0r () netvision net il>]

Hey-

I'm planning on writing some sort of paper on nmap and some related issues.
Please note that the paper is inteded for the newbie-intermediate level so 
don't flame or say stuff like ``It's obvious'' etc..

Anyway. I was planning on writing how nmap works (basically), with a small
explanation about the TCP stack. Then move to why you can't 'spoof' your
OS when scanned with nmap. After that maybe add a part about how you can
fake/spoof your OS anyway, but in an unefficient way.

Now I have some questions,
(A) Is rewriting the TCP stack by recompiling the kernel with different 
options thus making nmap think you're running OS X instead of OS Y the
only way to really spoof/fake the reply? (notice that I am talking about
spoofing/faking, not making it undetectable)

(B) Will mixing lots of stack options when recompiling the kernel confuse
nmap thus making it reply with something like ``Too many fingerprints'' or
something similar?

(C) Are there any other ways you can think of to spoof/fake the OS reply..?


Also, I had in mind an idea about a dynamic TCP stack of some sort, is it
possible?

By the way, the paper will probably be in Hebrew (I'm making it for a new
security site me and some friends are about to put up), so, you think I
should translate it when it's done (into English)? You think writing this
paper will do any good?

Thank you for your time,



elad,                                             `  _'_  '
<hax0r () netvision net il>             -  (o)o)  -
                                              -ooO'(_)--Ooo- 
PGP  Key ID: 0x507CC7CE
Fingerprint: 28E5 2BA8 7A46 A927 4B2F  0888 F106 EDA2 507C C7CE  
Unless your using a Windows based email client, the ASCII is fucked. :/


--------------------------------------------------
For help using this (nmap-hackers) mailing list, send a blank email to 
nmap-hackers-help () insecure org . List run by ezmlm-idx (www.ezmlm.org).