On Mon, Feb 22, 1999 at 11:55:43AM -0500, Patrick Gilbert wrote:
>
> How can we mask our operating system from these tcp/ip stack
> fingerprinting tools while still being functional?
>
Re,
In your article you advice that is possible to
filter SAF using ipfilter. IMHO the best solution
is to patch the kernel (source and GPL are already
implemented for this pourpose.) For exaple in order
to filter SAF:
*** tcp_output.c Fri Nov 20 10:49:53 1998
--- tcp_output2.c Tue Feb 23 11:15:51 1999
***************
*** 1021,1026 ****
--- 1021,1027 ----
t1->urg = 0;
t1->rst = 0;
t1->psh = 0;
+ t1->fin = 0;
t1->ack_seq = htonl(newsk->acked_seq);
t1->doff = sizeof(*t1)/4+1;
t1->res1 = 0;
Kernel patching can also mask window size and
other tcp/ip implementation peculiarity.
In spite of this if a lot of people use the
same kernel patch nmap and queslo will be
able to identify something as follow:
Linux 2.0.36 with yayaye patch 1.0
I think that patching your kernel in order to emulate
win95 tcp/ip stack is the best solution... :)
bye,
antirez
--
Salvatore Sanfilippo
Intesis SECURITY LAB Phone: +39-02-671563.1
Via Settembrini, 35 Fax: +39-02-66981953
I-20124 Milano ITALY Email: antirezat_private
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:37:27 PDT