RE: how to change OS idenfication?

From: Neil Fryer (nfryer_at_marimba.com)
Date: 02/19/04

  • Next message: cloper: "Re: how to change OS idenfication?"
    To: "'C. Ulrich'" <dincht@securenym.net>, Monty Ree <chulmin2@hotmail.com>
    Date: Thu, 19 Feb 2004 08:58:05 -0800
    
    

    Hi Monty,

    As for making you Linux box seem identified as a Windoze box, can't help, to
    stop OS finger printing, enable Netfilter on your linux box, as one of the
    default rules(if memory serves correctly) will stop OS finger printing by
    playing with the TCP/IP stack a bit.
    This is how I have it setup on a couple of our Linux servers, and
    Firewalls.

    HTH

    Neil

    -----Original Message-----
    From: C. Ulrich [mailto:dincht@securenym.net]
    Sent: Wednesday, February 18, 2004 7:44 AM
    To: Monty Ree
    Cc: focus-linux@securityfocus.com
    Subject: Re: how to change OS idenfication?

    On Tue, 2004-02-17 at 05:20, Monty Ree wrote:
    > Hello, all.
    >
    > I have operated linux sevrer and I would like to change the OS
    > identification.
    > So using nmap, I would like to be seen Windows instead of linux for
    > security reason.
    >
    > I heard that ippersonality(http://ippersonality.sourceforge.net) enable
    > this.
    > But the development of the ippersonality seems to be stopped.
    >
    > Is there any other method to change the OS identification?
    >
    > Thanks in advance.

    Unless memory fails me, nmap detects the remote operating system by
    looking for slight variations in the responses that it gets from certain
    probes and other information coming back from the host. There is no
    string lying about somewhere in the packets that says, "Hi, I'm a Linux
    machine" for example. One would have to tweak almost every part of the
    networking code in order to make the packets appear that they're coming
    from some other particular operating system. If someone actually did
    this, the nmap authors could conceivably update their code to correct
    for the modifications in a later version, which then defeats the purpose
    of the modifications, which then creates a vicious circle that spirals
    out of control, causing earthquakes and eradicating whole hemispheres of
    the planet, ad ininitum, ad nauseum, etc.

    You can see that it would just be a huge mess that, frankly, nobody
    wants to deal with. For information on how nmap fingerprinting works,
    see:

    http://www.insecure.org/nmap/nmap-fingerprinting-article.html

    I'd guess that a good firewall and applying proper security procedures
    would go a lot further than trying to spoof your OS fingerprint.

    Charles Ulrich

    P.S. You want your server to appear to be running Windows instead of
    Linux for security reasons? You're an interesting character. :)

    -- 
    http://bityard.net
    

  • Next message: cloper: "Re: how to change OS idenfication?"

    Relevant Pages

    • Re: Identifying Kernel 2.4.x based Linux machines using UDP
      ... > Linux Kernel 2.4.x has a bug with the UDP implementation which allows ... It also isn't specific to UDP -- you'll find ... Last year I added a feature to Nmap which automates this IPID ...
      (Bugtraq)
    • Re: how to change OS idenfication?
      ... >> I have operated linux sevrer and I would like to change the OS ... >> security reason. ... nmap detects the remote operating system by ...
      (Focus-Linux)
    • Re: RFC: Starting a stable kernel series off the 2.6 kernel
      ... >> improved by hiding detailed software versions from ... I wrote my original post with nmap in mind. ... > noticed all kinds of attacks against Linux using old ... IMHO, to have good security, 1) use open source and 2) ...
      (Linux-Kernel)
    • A few newbie security questions
      ... of security-related reading material (In particular, "Hacking Linux ... the log files as rw for root, and the group as the new log-checking ... Using nmap, I pinged my own computer using 127.0.0.1 (I'm still a bit wet ... view on the LAN, or even someone outside the lan but on the internet? ...
      (comp.os.linux.security)
    • Re: nmap port scan
      ... > questions despite all the threads on nmap. ... > I don't plan on debating Winxp vs linux with you because I know I would ... older operating systems for support such as Windows 95 and 98. ... I also support clients with Linux servers. ...
      (comp.security.firewalls)