RE: how to change OS idenfication?
From: Toni Heinonen (Toni.Heinonen_at_teleware.fi)
Date: Wed, 18 Feb 2004 20:48:29 +0200 To: "C. Ulrich" <firstname.lastname@example.org>, "Monty Ree" <email@example.com>
> Unless memory fails me, nmap detects the remote operating system by
> looking for slight variations in the responses that it gets
> from certain
> probes and other information coming back from the host. There is no
> string lying about somewhere in the packets that says, "Hi,
> I'm a Linux
> machine" for example. One would have to tweak almost every part of the
> networking code in order to make the packets appear that
> they're coming
> from some other particular operating system. If someone actually did
> this, the nmap authors could conceivably update their code to correct
> for the modifications in a later version, which then defeats
> the purpose
Yes, well I guess you're quite safe if you only tweak your own servers. Especially if you tweak your server's fingerprint to look like the fingerprint of another TCP/IP-stack.
Most of the fingerprinting, like the TTL value of IP packets and reactions to different combinations of strange TCP flags can be tweaked either by the /proc-filesystem or by just using iptables.
If you fully want to "smudge your TCP/IP fingerprint" you have to tweak the TCP/IP-stack code. A good article that goes through the whole thing, why you would want to do it and actually presents several good ready tools for the job can be found at http://voodoo.somoslopeor.com/papers/nmap.html.
The paper even details how you can put a Linux firewall in front of your network and make it smudge the fingerprints for even the hosts behind it. Of course, I believe even a standard Cisco PIX firewall changes the TCP sequence numbers)
> I'd guess that a good firewall and applying proper security procedures
> would go a lot further than trying to spoof your OS fingerprint.
Yes, indeed - this is security through obscurity, not to be considered real protection. A nice additional layer, however, I might add.
-- TONI HEINONEN TELEWARE OY Tel. +358 40 836 1815 Itäkeskuksen Maamerkki 00930 Helsinki, Finland firstname.lastname@example.org * www.teleware.fi