Help answer threads with 0 replies.
Go Back > Forums > Linux Forums > Linux - Security
User Name
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.


  Search this Thread
Old 02-26-2010, 03:56 PM   #1
allied air
LQ Newbie
Registered: Feb 2008
Distribution: Slackware
Posts: 16

Rep: Reputation: 0
OS fingerprint spoofing through sysctl; possible/practical?

I've been researching a bit of stack fingerprinting for fun and profit, but have found precious little in the way of stack spoofing tech.

Basically, i'ma running nmap against a dummy box and trying to make it look like a bluetooth fridge (for example), as opposed to the slackware box that it actually is.

I came across two dead projects (morph & ip personalities) which have not been updated since 2k5 that purported to do this very thing, but I could not get either of 'em to work.There is a windaes version here which i intend to try asap, and possibly steal some of the configs from.

I did however find on here a mention of using sysctl to perform the exact same function, and while it wasn't perfect, it did generate some confusion from nmap. Made sense to me that the projects have been terminated due to a much simpler method of adjusting 'nix stack handling procedures in the form of sysctl.

so the queries:
Anyone used sysctl extensively for this purpose, and have amusing or useful anecdotes to share?
Can nmap's funky fingerprint db be auto converted into human readable form/sysctl quick script?


a a

Last edited by allied air; 02-26-2010 at 04:03 PM.
Old 02-26-2010, 08:22 PM   #2
Registered: Feb 2009
Distribution: FreeBSD, OpenBSD, NetBSD, Debian, Fedora
Posts: 770
Blog Entries: 52

Rep: Reputation: 68
Why not run the services chrooted or on a vm?
Old 02-27-2010, 06:01 AM   #3
allied air
LQ Newbie
Registered: Feb 2008
Distribution: Slackware
Posts: 16

Original Poster
Rep: Reputation: 0
The vm method;
1. I hadn't thought of that, thanks for the alternative.
2. it requires significantly more resources than I have to play with (cyrix p266, 64 meg ram).

the chroot method;
1. i've only used chroot for switching between root directories for os installation cloning and setup, how could it help?

The intended purpose is to make John A. Black-Hat or Jim T. Script-Kidd waste time trying to determine the os and thusly try methods more likely to be detected as anomalous.

Peripherally, the windaes spoofer works remarkably well, nmap hadn't a clue as to what it was looking at.

Last edited by allied air; 02-27-2010 at 06:15 AM.
Old 02-27-2010, 10:21 AM   #4
allied air
LQ Newbie
Registered: Feb 2008
Distribution: Slackware
Posts: 16

Original Poster
Rep: Reputation: 0
this does not carry out any automatic error checking or allow for specified reset, so use with caution.
#27/02/2010 "Osfigment"
#linux os spoofing kludge using systcl 
#written by submitting student (in vi!) for Network security 4 CA resit
#concept and file format based on osfuscate[] by anonymous  
#use at own risk; potentially dangerous, badly written, and only nominally tested.

ospro="$1" #get profile
oldifs="$IFS" #store Interfield separator for later reset
IFS=' = ' #set IFS for  a space = space delimeter
if [ ! -e "$ospro" ]; then
	echo "pass an os profile to the script"
while read parm val # cycle through profile entries
	case $parm in
			kattl=$val ;;
			kastamp=$val ;;
			kapmtu=$val ;;
			kaurg=$val ;;
			kawindow=$val ;;
			kasack=$val ;;
			kamtu=$val ;;  
done < "$ospro"
echo "ttl =" $kattl
echo "stamp ="$kastamp
echo "pmtu =" $kapmtu
echo "arg =" $kaurg
echo "window =" $kawindow
echo "sack =" $kasack
echo "these are the values found; check and "yes" to continue,"
read amen
if [ ! $amen = yes ]; then
	echo wise
	IFS="$oldifs" # just in case it doesnt reset properly <.<
	echo "using sysctl and /proc/sys/net to screw up your system; startup system configuration is not affected"
	#default time to live
	sysctl net.ipv4.ip_default_ttl="$kattl"
	sysctl net.ipv4.tcp_timestamps="$kastamp"
	#MTU discovery value
	sysctl net.ipv4.ip_no_pmtu_disc="$kapmtu"
	#urgent traffic flag
	sysctl net.ipv4.tcp_stdurg="$kaurg"
	#Selective Acknowledgement (rfc2018)
	sysctl net.ipv4.tcp_sack="$kasack"
	#modifies default and max receive and transmit window size
	if [ "$kawindow" != 'x' ]; then 
		echo $kawindow > /proc/sys/net/core/rmem_max
		echo $kawindow > /proc/sys/net/core/wmem_max
		echo $kawindow > /proc/sys/net/core/rmem_default
		echo $kawindow > /proc/sys/net/core/wmem_default
	#MTU is imprudent to mess with, and does little good either way
and some references

Josefsson B, TCP tuning cookbook, SUNET, 2004 [online] Available: [Accessed : 01/03/2010]
Lal Jangir M, Linux Network Stack Administration: A Developer's Approach, Linux For You
approach/[Accessed : 17/03/2010]
Morizot S, Easy Firewall Generator for iptables, 05/11/2005 [online] Available : [Accessed : 17/03/2010

if you cant tell this file works with the original osfuscate profile files, so you'll need a copy of them too.

Sadly I only got 58% on this assessment :/

Last edited by allied air; 12-14-2010 at 03:25 PM.
Old 02-28-2010, 05:26 PM   #5
LQ Newbie
Registered: Feb 2010
Posts: 1

Rep: Reputation: 0
I was actually for the same thing today. I recently found of that sysctl can do this but i just don't know what parameters accomplish this. If you can please provide what parameters you used to fool nmap that would be awesome.
Old 04-29-2010, 09:56 PM   #6
LQ Newbie
Registered: Apr 2010
Posts: 7

Rep: Reputation: 0
hey allied air,

is it possible to send me that windows spoofer? i'm really interested.


nmap, sysctl

Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
USB fingerprint PlatinumX Linux - Hardware 1 06-07-2009 08:51 AM
Need help on sysctl hiteshnimbark Linux - Networking 2 10-20-2008 05:06 AM
Fingerprint authentication? DaBlade Linux - Hardware 5 06-12-2008 03:47 PM
fingerprint--- help? shagan Linux - General 0 09-23-2004 02:02 AM
sysctl nullpt *BSD 3 08-06-2003 02:14 PM > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 04:39 AM.

Main Menu
Write for LQ is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration