February 5th, 2003, 01:35 AM
Just came across this little tool for the Linux 2.4 Kernel, and it sound pretty good in theory.
Basically, this patch will fool nmaps OS fingerprinting feature.
How can a hacker compromise what he thinks is a Win2K machine and launches his attack based on Win2K vulnerabilities, when in reality, it is a Linux machine?
The characteristics that can be changed are:
- TCP Initial Sequence Number (ISN)
- TCP initial window size
- TCP options (their types, values and order in the packet)
- IP ID numbers
- answers to some pathological TCP packets
- answers to some UDP packets
I know that this wouldnt replace any other security tools like Firewalls and Antivirus, and it could be considered to some extent "Security by Obscurity", but I think that it could be a nice inclusion to your systems overall"Security Suite".
Check it out at:
[glowpurple]There were so many fewer questions when the stars where still just the holes to heaven - JJ[/glowpurple] [gloworange]I sure could use a vacation from this bull$hit, three ringed circus side show of freaks. - Tool. [/gloworange]
February 5th, 2003, 02:13 AM
i guess this might be handy for honeypots.
i'll check out the link later. thanks.
\'hi, welcome to *****. if you would like to speak to an operator, please hang up now.\'
* click *
February 5th, 2003, 11:53 AM
Changing your OS fingerprint is only useful if you don't run any services which reveal the OS identity.
Many services *do* reveal what OS you're running, in which case changing the fingerprint is useless.
The other things is, TCP fingerprinting isn't *that* reliable anyway - load balancing, NAT firewalls etc often skew the results.
The other item is, if there are no open TCP ports on a host, it cannot be reliably fingerprinted anyway.
February 5th, 2003, 01:54 PM
Well.. those ip personalities can mask services you are running as well, as i have heard at least. I read an article some time back that would change your service names to stuff that doesnt look normal. Ill try to get the source again but if i dont just dont listen to me.. good thread..
edit >> not the same source, but close: http://126.96.36.199/search?q=cache...hl=en&ie=UTF-8
February 8th, 2003, 06:40 AM
This is a funny thing. We had a discussion concerning this on another forum. Apparently a member found a way to disguise his Red Hat webserver as Solaris 8 using ip personality. He also used a program called jiffies to effectively fool the Netcraft webserver survey. Finally he changed the source of apache to something different too.
Here is a link to that discussion http://forum.****microsoft.com/cgi-b...c&f=5&t=001343
Here is a link to his site.
Wine maketh merry: but money answereth all things.