make my windows box report as a *NIX box

[rijilv]

I"m trying to lockdown my computer and I was wondering where/what values in registry would make my windows xp computer report(nmap, xprobe, etc) as an ancient *NIX, toaster, microwave, anything other than windows device?

[spurious_inode]

That is going to be pretty damn tough to do without the source code to the OS. What you need to understand is that these days, any worthy scanner uses specific characteristics of the IP implentation of the OS to make a guess at what it is.

This includes things like how the sequence numbers are generated, windows, how it responds to a packet with certain flags, or all flags set. etc.

Just changing the banner hasn't cut it since the late 90's.

Sorry. Maybe you should just go ahead and run Linux or a BSD. That way your box will be sure to show up as a Unix flavor during port scans.

-- spurious

[White Scorpion]

you can start with changing the TTL from 128 to 64, this is one of the first things you would look at when trying to determin the OS. but as spurious_inode already stated, there are a lot of other things you can not change like that.
i suggest you get a decent firewall which will not allow the enumeration of your system.
when it can not be pinged, scanned etc, you can also not determine the OS that is running.

[gore]

Originally posted here by White Scorpion
you can start with changing the TTL from 128 to 64, this is one of the first things you would look at when trying to determin the OS. but as spurious_inode already stated, there are a lot of other things you can not change like that.
i suggest you get a decent firewall which will not allow the enumeration of your system.
when it can not be pinged, scanned etc, you can also not determine the OS that is running.

I could still tell just by simply looking at you on AIM if you use it. Don't act like all you need too do is what you said and no one can tell, it's not true.

[Und3ertak3r]

What about the Proxomotron?

But then that is if your the client.. but if your talking server..I dunno

I have a machine that identifies itself as a Victor Lawn Mower.. running Grass Browzer 2.2.. done mainly for the wank value..

[i2c]

This is a sligtly roundabout route, but cant u just setup a hardware router/ firewall using an old 486? that could work..

i2c

[White Scorpion]

Originally posted here by White Scorpion
you can start with changing the TTL from 128 to 64, this is one of the first things you would look at when trying to determin the OS. but as spurious_inode already stated, there are a lot of other things you can not change like that.
i suggest you get a decent firewall which will not allow the enumeration of your system.
when it can not be pinged, scanned etc, you can also not determine the OS that is running.


I could still tell just by simply looking at you on AIM if you use it. Don't act like all you need too do is what you said and no one can tell, it's not true.

i would like to challenge you on this, cause i do not believe you can determine correctly which OS i am using when i am at home, simply because it wouldn't give you enough info to be exactly sure... this problems you also see when using nmap, if you do not have enough info the program cannot determine which OS you are using. Ok, perhaps there are 1-2 people in the world which need very little, but i do not believe you are one of them (no offense), so lets keep it simple, and you tell me how you can determine an OS when the system has no open ports and doesn't reply to ping queries. i doubt you can. i really doubt it ...

[spurious_inode]

.... Actually, most OS's have little quirks or other uniqe things about the way they act when you try to build a connection on a closed TCP port. Add to this the implementation specific way that a system deals with UDP pings (packets in succession to incrementing udp port... see 'ping -sU <target>' on Solaris for example) and a ballpark guess on the OS is achieved. All NT based OS's behave in a similar (and distinct from other OS's) manner to these kinds of probes.

Raw sockets, DHCP pings, ARP's, and a whole slew of other `normal' network traffic can be used to build an OS fingerprint. Point is, don't rely on stupid tricks to thwart would be attackers. Doing so falls dangerously into the category of 'security by obscurity' which plain doesn't work.

-- spurious

[Juridian]

There are various tools on the internet for doing this with various operating systems. There are also other tweaks that can be done that make this more difficult.

While the paper below is a for a freebsd tool it explains the basics of what they are doing, why, and has related material in the references section - http://www.usenix.org/publications/l...tml/index.html

Another paper you might find useful is - http://voodoo.somoslopeor.com/papers/nmap.html

And this page has a great deal of information - http://www.l0t3k.org/security/docs/fingerprinting/

While the papers above describe linux/unix environments, similar things can be done with windows.

I wouldn't rely on this to keep things safe alone, but it can raise the bar a bit to keep some of the idiots out. (you must be at least this tall to ride this ride...)

[White Scorpion]

.... Actually, most OS's have little quirks or other uniqe things about the way they act when you try to build a connection on a closed TCP port. Add to this the implementation specific way that a system deals with UDP pings (packets in succession to incrementing udp port... see 'ping -sU <target>' on Solaris for example) and a ballpark guess on the OS is achieved. All NT based OS's behave in a similar (and distinct from other OS's) manner to these kinds of probes.

Raw sockets, DHCP pings, ARP's, and a whole slew of other `normal' network traffic can be used to build an OS fingerprint. Point is, don't rely on stupid tricks to thwart would be attackers. Doing so falls dangerously into the category of 'security by obscurity' which plain doesn't work.

yeah ok, but you would still have to be able to monitor the network traffic and examin the packages.

but normally when you have just an ip with no server running (that you know of) and you aren't able to monitor traffic, (especially with an hardware firewall) i doubt it will be so easy. and that is what i was trying to say... of course when you are running a webserver it would be a lot harder to block (maybe even impossible).