Fun with OS fingerprinting

[cwk9]

Now you can make your computer fool nmap into thinking is a dream cast or Apple LaserWriter

Read the whole thing here: http://voodoo.somoslopeor.com/papers/nmap.html


http://slashdot.org/articles/03/03/1....shtml?tid=172

taviso writes "Are you bored with your OS fingerprint? Do you dream of being able to impress your friends by convincing them your webserver is running on a sega dreamcast, or Apple LaserWriter? Well Dream no more! David Berrueta has written a paper oulining the techniques and tools available to defeat nmap's OS fingerprinting, available here [pdf]. Besides the hours of entertainment this could provide, he also lists some of the more serious reasons why you might want to consider this."

[the_JinX]

w0000t

great find !!!

next best thing to fakeroute !!!

[bluebeard96]

Hmmm... interesting. I'm interested to find out how the program (located at the destination IP) changes the hops before the destination? It doesn't make sense to me. Can anyone enlighten me?

Edit: I'm refering to the "fakeroute" link posted.

Along the lines of the original post (and I'm sure this is stated somewhere is the linked stories, but I haven't read them yet)...

If you do decide to spoof the responses and make a mapping program think you are a different type of machine than you really are, you REALLY have to stay on top of it. I just read Network Intrusion Detection 3rd Edition (Northcutt & Novak) in which they discuss this and the fact that often times upgrades will overwrite your response modifications and your machine could potentially send an identifying response.... all they need is one! If you've got the time to make sure you cover all the bases and spoof ALL responses, go for it!

Just thought I'd say that since I just finished reading about it.

[the_JinX]

TraceRoute works like this....

traceroute sends a packet to you with a TTL (Time To Live) of 1

that packet comes to the first hop (between it and you) and reaches TTL 0 the computer sends back a TimedOut packet (allong with it's IP adress)

Then traceroute sends a packet with a TTL of 2
comes thrue the first hop (with a TTL of 1) and comes to the second, which sends a TimedOut packet...

Traceroute sends a packet with a TTL of 3 etc....

Then when it reaches you your computer sends back a DestinationReached paket..


fakeroute doesn't send back those DestinationReached packets, but sends TimedOut packets with different IP adresses untill it comes to the end of it's list (the fake destination) and then it sends back a DestinationReached packet with it's adress !!!


hope this clears some stuff

*sorry but I can't remember the real names of the TimedOut and DestinationReached packets !!!

*I wrote this in 2 minutes without refference aterial, so no warrenty what so ever on content !!!!

[bluebeard96]

OK, I'm new to this, so bear with me

Question 1: Wouldn't lines 4 and 6 of the manipulated traceroute put up a red flag?

4 core3-g2-0.snfc21.pbi.net (206.171.134.130) 9.467 ms 8.700 ms 9.152 ms
5 rback23-fe2-0.snfc21.pbi.net (216.102.187.149) 14.432 ms 20.435 ms 16.546 ms
6 core4-g3-0.snfc21.pbi.net (216.102.187.130) 0.883 ms 0.594 ms 0.427 ms

Correct me if I'm wrong, but I can only see two reasons to have the same IP twice in a traceroute.

1) Misconfigured router sending traffic back though a place it's already been (most likely resulting in a fun looping situation)

2) A manipulated response that shows traffic going back through the same router to find the fake destination. Granted, this wouldn't ALWAYS be the case, but it would most of the time (unless the target happened to pick a fake destination inside his same ISP, for example).


Question 2: Do the traceroute results show the IP the request went to, or the IP sent back when the TTL=0? I am assuming it is the IP sent back with the timeout (otherwise hop 6 would show the target ip).


So it looks to me like everything past hop 5 would be the same results as a separate tracert from the taget computer to the fake destination IP. The target computer simply stops the ICMP packet and adds the next hop of the latter (fake) tracert one at a time.


Question 3: Is there a way that the program can tell what hops happened before the request got to the target so it can remove any duplicate hops? It looks like the program removed one duplicate (line 5 should be there twice since that IP is both the last hop before the target and is ALSO the first hop from the true target on the way to the fake target). Without doing it's own tracert to the source IP, can you know the entire path of the trace (all IPs), or can you only determine the IP source of the tracert and the IP from the 1 previous hop (since that's the immediate IP that forwarded the packet to you)?

4 core3-g2-0.snfc21.pbi.net (206.171.134.130) 9.467 ms 8.700 ms 9.152 ms
5 rback23-fe2-0.snfc21.pbi.net (216.102.187.149) 14.432 ms 20.435 ms 16.546 ms
6 core4-g3-0.snfc21.pbi.net (216.102.187.130) 0.883 ms 0.594 ms 0.427 ms

If you can only know the source IP and the IP of the 1 previous hop, I can see how one wouldn't be able to remove the duplicate line 6. However, wouldn't it be a smart idea if the program resolved the hostname of the one previous IP (hop 5 in this case - "rback23-fe2-0.snfc21.pbi.net)", determined the TLD as pbi.net, and then removed all pbi.net hops in the secondary tracert that it appends to the first request? That would avoid a great deal of duplicate routers.

Anyway, I'm rambling. Just found this topic interesting!

[g00n]

muhahahaha, I just got an idea...

I want my server to look like a palm pilot, with 300 extra hops..

MUAHAHA, phjeer my monster dual 800 palm pilot!!! (sorry for the incorrect 1337 speak, thought i'd make it someone readable.)

[techtech]

Can mine look like a toaster?


btw...great link, perfect read for my bubble bath tonight! Thanx!

[Taters]

Oh wow! That is great. I'm still really new to this but it is really helping me out. Thank you cwk9.