OS fingerprint spoofing through sysctl; possible/practical?
Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
OS fingerprint spoofing through sysctl; possible/practical?
I've been researching a bit of stack fingerprinting for fun and profit, but have found precious little in the way of stack spoofing tech.
Basically, i'ma running nmap against a dummy box and trying to make it look like a bluetooth fridge (for example), as opposed to the slackware box that it actually is.
I came across two dead projects (morph & ip personalities) which have not been updated since 2k5 that purported to do this very thing, but I could not get either of 'em to work.There is a windaes version here which i intend to try asap, and possibly steal some of the configs from.
I did however find on here a mention of using sysctl to perform the exact same function, and while it wasn't perfect, it did generate some confusion from nmap. Made sense to me that the projects have been terminated due to a much simpler method of adjusting 'nix stack handling procedures in the form of sysctl.
so the queries:
Anyone used sysctl extensively for this purpose, and have amusing or useful anecdotes to share?
Can nmap's funky fingerprint db be auto converted into human readable form/sysctl quick script?
cheers
a a
Last edited by allied air; 02-26-2010 at 03:03 PM.
The vm method;
1. I hadn't thought of that, thanks for the alternative.
2. it requires significantly more resources than I have to play with (cyrix p266, 64 meg ram).
the chroot method;
1. i've only used chroot for switching between root directories for os installation cloning and setup, how could it help?
The intended purpose is to make John A. Black-Hat or Jim T. Script-Kidd waste time trying to determine the os and thusly try methods more likely to be detected as anomalous.
Peripherally, the windaes spoofer works remarkably well, nmap hadn't a clue as to what it was looking at.
Last edited by allied air; 02-27-2010 at 05:15 AM.
this does not carry out any automatic error checking or allow for specified reset, so use with caution.
Code:
#!/bin/bash
#27/02/2010 "Osfigment"
#linux os spoofing kludge using systcl
#written by submitting student (in vi!) for Network security 4 CA resit
#concept and file format based on osfuscate[http://www.irongeek.com/i.php?page=security/osfuscate-change-your-windows-os-tcp-ip-fingerprint-to-confuse-p0f-networkminer-ettercap-nmap-and-other-os-detection-tools] by anonymous
#use at own risk; potentially dangerous, badly written, and only nominally tested.
ospro="$1" #get profile
oldifs="$IFS" #store Interfield separator for later reset
IFS=' = ' #set IFS for a space = space delimeter
if [ ! -e "$ospro" ]; then
echo "pass an os profile to the script"
exit
fi
while read parm val # cycle through profile entries
do
case $parm in
ttl)
kattl=$val ;;
stamp)
kastamp=$val ;;
pmtu)
kapmtu=$val ;;
urg)
kaurg=$val ;;
window)
kawindow=$val ;;
sack)
kasack=$val ;;
mtu)
kamtu=$val ;;
esac
done < "$ospro"
echo "ttl =" $kattl
echo "stamp ="$kastamp
echo "pmtu =" $kapmtu
echo "arg =" $kaurg
echo "window =" $kawindow
echo "sack =" $kasack
echo "these are the values found; check and "yes" to continue,"
read amen
if [ ! $amen = yes ]; then
echo wise
IFS="$oldifs" # just in case it doesnt reset properly <.<
exit
else
echo "using sysctl and /proc/sys/net to screw up your system; startup system configuration is not affected"
#default time to live
sysctl net.ipv4.ip_default_ttl="$kattl"
sysctl net.ipv4.tcp_timestamps="$kastamp"
#MTU discovery value
sysctl net.ipv4.ip_no_pmtu_disc="$kapmtu"
#urgent traffic flag
sysctl net.ipv4.tcp_stdurg="$kaurg"
#Selective Acknowledgement (rfc2018)
sysctl net.ipv4.tcp_sack="$kasack"
#modifies default and max receive and transmit window size
if [ "$kawindow" != 'x' ]; then
echo $kawindow > /proc/sys/net/core/rmem_max
echo $kawindow > /proc/sys/net/core/wmem_max
echo $kawindow > /proc/sys/net/core/rmem_default
echo $kawindow > /proc/sys/net/core/wmem_default
fi
#MTU is imprudent to mess with, and does little good either way
fi
IFS="$oldifs"
I was actually for the same thing today. I recently found of that sysctl can do this but i just don't know what parameters accomplish this. If you can please provide what parameters you used to fool nmap that would be awesome.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.