IP Personality

Printable View

February 5th, 2003, 02:35 AM
SoggyBottom

IP Personality

Hi All,

Just came across this little tool for the Linux 2.4 Kernel, and it sound pretty good in theory.

Basically, this patch will fool nmaps OS fingerprinting feature.

Quote:

The characteristics that can be changed are:

- TCP Initial Sequence Number (ISN)
- TCP initial window size
- TCP options (their types, values and order in the packet)
- IP ID numbers
- answers to some pathological TCP packets
- answers to some UDP packets

How can a hacker compromise what he thinks is a Win2K machine and launches his attack based on Win2K vulnerabilities, when in reality, it is a Linux machine?

I know that this wouldnt replace any other security tools like Firewalls and Antivirus, and it could be considered to some extent "Security by Obscurity", but I think that it could be a nice inclusion to your systems overall"Security Suite".

Check it out at:

http://ippersonality.sourceforge.net/
February 5th, 2003, 03:13 AM
secretagent

hi

i guess this might be handy for honeypots.

i'll check out the link later. thanks.

regards,
mark.
February 5th, 2003, 12:53 PM
slarty

Changing your OS fingerprint is only useful if you don't run any services which reveal the OS identity.

Many services *do* reveal what OS you're running, in which case changing the fingerprint is useless.

The other things is, TCP fingerprinting isn't *that* reliable anyway - load balancing, NAT firewalls etc often skew the results.

The other item is, if there are no open TCP ports on a host, it cannot be reliably fingerprinted anyway.
February 5th, 2003, 02:54 PM
er0k

Well.. those ip personalities can mask services you are running as well, as i have heard at least. I read an article some time back that would change your service names to stuff that doesnt look normal. Ill try to get the source again but if i dont just dont listen to me.. good thread..

edit >> not the same source, but close: http://216.239.39.100/search?q=cache...hl=en&ie=UTF-8
February 8th, 2003, 07:40 AM
ThePreacher

This is a funny thing. We had a discussion concerning this on another forum. Apparently a member found a way to disguise his Red Hat webserver as Solaris 8 using ip personality. He also used a program called jiffies to effectively fool the Netcraft webserver survey. Finally he changed the source of apache to something different too.
Here is a link to that discussion http://forum.****microsoft.com/cgi-b...c&f=5&t=001343

Here is a link to his site.
http://voidmain.kicks-ass.net/aboutuptime.html