LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (http://www.linuxquestions.org/questions/linux-security-4/)
-   -   Fooling OS fingerprint identification (http://www.linuxquestions.org/questions/linux-security-4/fooling-os-fingerprint-identification-3082/)

raz 06-05-2001 07:10 AM

Guys and Gals,

Does anyone know how to set TCP's MSS default value, on a Linux 7.x system?

I've told my Linux box not to discovery the MTU of the networks path without a MSS value from a responding host.

However this doesn't help me.
Basically I'm trying to get my Linux box to confuse Nmap's OS fingerprint identification method and to do this I need to change the default MSS that's sent out with the first SYN packet from my box.

Thanks
/Raz

unSpawn 06-05-2001 06:13 PM

its under /proc/sys/net/core/ as rmem and wmem stuff.

raz 06-06-2001 04:33 AM

cheers unSpawn, I'll check it out.

Thanks,
Raz

jharris 06-06-2001 06:32 AM

Nmap fails to fingerprint my machine, its just got most of its ports set to DENY so nmap doesn't get enough back to make a proper fingerprint.

Jamie...

raz 06-06-2001 07:16 AM

Yeah same here, when the firewall is up nothing can get a fingerprint on my box as rejected packets don't give enough info.

I'm trying to change this from a non-firewalled box.

Cheers,
Raz

jharris 06-06-2001 07:18 AM

Quote:

Originally posted by razbot
Yeah same here, when the firewall is up nothing can get a fingerprint on my box as rejected packets don't give enough info.

I'm trying to change this from a non-firewalled box.

Sounds cool, any chance you can post the results of your efforts - could be useful in the future.

Cheers.

Jamie...

unSpawn 06-06-2001 07:20 AM

Jamie,

Ure fw marks itself as "Linux 2.1.122 - 2.2.16" tho.
(soz for me pryin around)

jharris 06-06-2001 07:26 AM

Quote:

Originally posted by unSpawn
Jamie,

Ure fw marks itself as "Linux 2.1.122 - 2.2.16" tho.
(soz for me pryin around)

Na worries - I've played with some of the rules recently and haven't done a full external portscan for a while. Might have to look into that one!! :)

Jamie...

raz 06-06-2001 09:11 AM

Jamie,

Sorry but I though I would also have a look too. :)

Just building on your last comment, if you have any open port like from your httpd, then if you don't get the TCP handshake to show different handshake info, like the stuff I'm attempting to modify on my box, then people will be able to work out the OS.

Your box responds with:
TSeq(Class=RI%gcd=1%SI=190FDB%IPID=I%TS=100HZ)
T1(Resp=Y%DF=Y%W=7F53%ACK=S++%Flags=AS%Ops=MENNTNW)
T2(Resp=N)
T3(Resp=Y%DF=Y%W=7F53%ACK=S++%Flags=AS%Ops=MENNTNW)
T4(Resp=Y%DF=N%W=0%ACK=O%Flags=R%Ops=)
T5(Resp=Y%DF=N%W=0%ACK=S++%Flags=AR%Ops=)
T6(Resp=Y%DF=N%W=0%ACK=O%Flags=R%Ops=)
T7(Resp=Y%DF=N%W=0%ACK=S%Flags=AR%Ops=)
PU(Resp=Y%DF=N%TOS=C0%IPLEN=164%RIPTL=148%RIPCK=E%UCK=E%ULEN=134%DAT=E)

Which is Linux 2.2.16

Also if you close/filter all the ports then I can still find out the OS type, as your firewall needs to filter out ICMP type 13 requests. "windows boxes don't implement this type"

Also you should disable ICMP type 8. "ping requests"

Other then that your rules are set-up well.

Also don't DENY packets, REJECT them as your can work out the filters your running as the pckets never come back, REJECT makes it look like the port is not used.

On a different note there is a server on that same subnet as yours that could cause a DOS attack on your subnet, as it's misconfigured and responded to me when I was asking your firewall to tell me if it was susceptible to broadcast pings. "smurf"

/Raz

[Edited by razbot on 06-06-2001 at 10:36 AM]

jharris 06-06-2001 12:35 PM

Quote:

Originally posted by razbot
Also don't DENY packets, REJECT them as your can work out the filters your running as the pckets never come back, REJECT makes it look like the port is not used.

On a different note there is a server on that same subnet as yours that could cause a DOS attack on your subnet, as it's misconfigured and responded to me when I was asking your firewall to tell me if it was susceptible to broadcast pings. "smurf"

The reason I am DENYing is to slow down anyone who is port scanning me, as your port scanner will try a few times before its gives up. REJECTing will just let them get onto the next port that little bit faster.

As for the other machine on the Subnet - it does't surprise me! I'm on a Telewest cablemodem and most people just have them hooked straight into a Windows box with no firewall so I imagine they'll soon be getting used for DDoS attacks soon enough :(

cheers for the input!

Jamie...

raz 06-07-2001 07:28 AM

You have a good point, but.

When you use something like nmap to scan, you can start off with the accepted but closed unprivileged ports, then it gets an idea of the timings for DENYed ports, so it's just wizzzzssss through them. also got a cool option called --max_rtt_timeout

As for the DOS from the other system, just add these to your firewall script and problem gone.

echo 1 > /proc/sys/net/ipv4/tcp_syncookies
echo 1 > /proc/sys/net/ipv4/ip_always_defrag
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter
echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects
echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects

+ block incoming type 8 ICMP requests.

/Raz


All times are GMT -5. The time now is 10:05 PM.