make my windows box report as a *NIX box
Page 1 of 3 123 LastLast
Results 1 to 10 of 22

Thread: make my windows box report as a *NIX box

  1. #1
    Junior Member
    Join Date
    Aug 2004
    Posts
    17

    make my windows box report as a *NIX box

    I"m trying to lockdown my computer and I was wondering where/what values in registry would make my windows xp computer report(nmap, xprobe, etc) as an ancient *NIX, toaster, microwave, anything other than windows device?

  2. #2
    Senior Member
    Join Date
    Mar 2003
    Posts
    245
    That is going to be pretty damn tough to do without the source code to the OS. What you need to understand is that these days, any worthy scanner uses specific characteristics of the IP implentation of the OS to make a guess at what it is.

    This includes things like how the sequence numbers are generated, windows, how it responds to a packet with certain flags, or all flags set. etc.

    Just changing the banner hasn't cut it since the late 90's.

    Sorry. Maybe you should just go ahead and run Linux or a BSD. That way your box will be sure to show up as a Unix flavor during port scans.

    -- spurious
    Get OpenSolaris http://www.opensolaris.org/

  3. #3
    you can start with changing the TTL from 128 to 64, this is one of the first things you would look at when trying to determin the OS. but as spurious_inode already stated, there are a lot of other things you can not change like that.
    i suggest you get a decent firewall which will not allow the enumeration of your system.
    when it can not be pinged, scanned etc, you can also not determine the OS that is running.

  4. #4
    Senior Member gore's Avatar
    Join Date
    Oct 2002
    Location
    Michigan
    Posts
    7,177
    Originally posted here by White Scorpion
    you can start with changing the TTL from 128 to 64, this is one of the first things you would look at when trying to determin the OS. but as spurious_inode already stated, there are a lot of other things you can not change like that.
    i suggest you get a decent firewall which will not allow the enumeration of your system.
    when it can not be pinged, scanned etc, you can also not determine the OS that is running.
    I could still tell just by simply looking at you on AIM if you use it. Don't act like all you need too do is what you said and no one can tell, it's not true.

  5. #5
    The Doctor Und3ertak3r's Avatar
    Join Date
    Apr 2002
    Posts
    2,743
    What about the Proxomotron?

    But then that is if your the client.. but if your talking server..I dunno

    I have a machine that identifies itself as a Victor Lawn Mower.. running Grass Browzer 2.2.. done mainly for the wank value..
    "Consumer technology now exceeds the average persons ability to comprehend how to use it..give up hope of them being able to understand how it works." - Me http://www.cybercrypt.co.nr

  6. #6
    Senior Member
    Join Date
    Jul 2003
    Posts
    634
    This is a sligtly roundabout route, but cant u just setup a hardware router/ firewall using an old 486? that could work..

    i2c

  7. #7
    Originally posted here by White Scorpion
    you can start with changing the TTL from 128 to 64, this is one of the first things you would look at when trying to determin the OS. but as spurious_inode already stated, there are a lot of other things you can not change like that.
    i suggest you get a decent firewall which will not allow the enumeration of your system.
    when it can not be pinged, scanned etc, you can also not determine the OS that is running.


    I could still tell just by simply looking at you on AIM if you use it. Don't act like all you need too do is what you said and no one can tell, it's not true.
    i would like to challenge you on this, cause i do not believe you can determine correctly which OS i am using when i am at home, simply because it wouldn't give you enough info to be exactly sure... this problems you also see when using nmap, if you do not have enough info the program cannot determine which OS you are using. Ok, perhaps there are 1-2 people in the world which need very little, but i do not believe you are one of them (no offense), so lets keep it simple, and you tell me how you can determine an OS when the system has no open ports and doesn't reply to ping queries. i doubt you can. i really doubt it ...

  8. #8
    Senior Member
    Join Date
    Mar 2003
    Posts
    245
    .... Actually, most OS's have little quirks or other uniqe things about the way they act when you try to build a connection on a closed TCP port. Add to this the implementation specific way that a system deals with UDP pings (packets in succession to incrementing udp port... see 'ping -sU <target>' on Solaris for example) and a ballpark guess on the OS is achieved. All NT based OS's behave in a similar (and distinct from other OS's) manner to these kinds of probes.

    Raw sockets, DHCP pings, ARP's, and a whole slew of other `normal' network traffic can be used to build an OS fingerprint. Point is, don't rely on stupid tricks to thwart would be attackers. Doing so falls dangerously into the category of 'security by obscurity' which plain doesn't work.

    -- spurious
    Get OpenSolaris http://www.opensolaris.org/

  9. #9
    Ninja Code Monkey
    Join Date
    Nov 2001
    Location
    Washington State
    Posts
    1,027
    There are various tools on the internet for doing this with various operating systems. There are also other tweaks that can be done that make this more difficult.

    While the paper below is a for a freebsd tool it explains the basics of what they are doing, why, and has related material in the references section - http://www.usenix.org/publications/l...tml/index.html

    Another paper you might find useful is - http://voodoo.somoslopeor.com/papers/nmap.html

    And this page has a great deal of information - http://www.l0t3k.org/security/docs/fingerprinting/

    While the papers above describe linux/unix environments, similar things can be done with windows.

    I wouldn't rely on this to keep things safe alone, but it can raise the bar a bit to keep some of the idiots out. (you must be at least this tall to ride this ride...)
    "When I get a little money I buy books; and if any is left I buy food and clothes." - Erasmus
    "There is no programming language, no matter how structured, that will prevent programmers from writing bad programs." - L. Flon
    "Mischief my ass, you are an unethical moron." - chsh
    Blog of X

  10. #10
    .... Actually, most OS's have little quirks or other uniqe things about the way they act when you try to build a connection on a closed TCP port. Add to this the implementation specific way that a system deals with UDP pings (packets in succession to incrementing udp port... see 'ping -sU <target>' on Solaris for example) and a ballpark guess on the OS is achieved. All NT based OS's behave in a similar (and distinct from other OS's) manner to these kinds of probes.

    Raw sockets, DHCP pings, ARP's, and a whole slew of other `normal' network traffic can be used to build an OS fingerprint. Point is, don't rely on stupid tricks to thwart would be attackers. Doing so falls dangerously into the category of 'security by obscurity' which plain doesn't work.
    yeah ok, but you would still have to be able to monitor the network traffic and examin the packages.

    but normally when you have just an ip with no server running (that you know of) and you aren't able to monitor traffic, (especially with an hardware firewall) i doubt it will be so easy. and that is what i was trying to say... of course when you are running a webserver it would be a lot harder to block (maybe even impossible).

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •