On Mon, Feb 22, 1999 at 11:55:43AM -0500, Patrick Gilbert wrote: > > How can we mask our operating system from these tcp/ip stack > fingerprinting tools while still being functional? > Re, In your article you advice that is possible to filter SAF using ipfilter. IMHO the best solution is to patch the kernel (source and GPL are already implemented for this pourpose.) For exaple in order to filter SAF: *** tcp_output.c Fri Nov 20 10:49:53 1998 --- tcp_output2.c Tue Feb 23 11:15:51 1999 *************** *** 1021,1026 **** --- 1021,1027 ---- t1->urg = 0; t1->rst = 0; t1->psh = 0; + t1->fin = 0; t1->ack_seq = htonl(newsk->acked_seq); t1->doff = sizeof(*t1)/4+1; t1->res1 = 0; Kernel patching can also mask window size and other tcp/ip implementation peculiarity. In spite of this if a lot of people use the same kernel patch nmap and queslo will be able to identify something as follow: Linux 2.0.36 with yayaye patch 1.0 I think that patching your kernel in order to emulate win95 tcp/ip stack is the best solution... :) bye, antirez -- Salvatore Sanfilippo Intesis SECURITY LAB Phone: +39-02-671563.1 Via Settembrini, 35 Fax: +39-02-66981953 I-20124 Milano ITALY Email: antirezat_private
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:37:27 PDT