Fugitif
03.10.2008, 12:40
OSfuscate: Change your Windows OS TCP/IP Fingerprint to confuse P0f, NetworkMiner, Ettercap, Nmap and other OS detection tools
I was wondering awhile back how one could go about changing the OS fingerprint of a Windows box to confuse tools like Nmap, P0f, Ettercap and NetworkMiner. I knew there were registry setting you could change in Windows XP/Vista that would let you reconfigure how the TCP/IP stack works, thus changing how the above tools would detect the OS. I wasn't sure what all registry changes to make, but luckily I found Craig Heffner's tool Security Cloak ( sec_cloak.exe ) and by looking at it's source I was able to figure out what to do. The needed IP stack changes were hardcoded into Security Cloak, but for my tool I decided to make it easier to update by allowing the user to add new OS fingerprint profiles as ini files. Yes, I know this is security through obscurity and the attacker can still probably figure out the OS on a box by other means, but I still think it's kind of cool to play with. If you want to try out the beta use the link below and let me know how well it works against Nmap, P0f, Ettercap and NetworkMiner:
Curret profiles include: BeOS, Checkpoint Firewall, DOS, FreeBSD, HP Unix, IBM OS400, IRIX, Linux, Novell, Palm OS 3.5, PalmOS 5.2, Playstation, Sega Dreamcast, Sun OS, Tru64, Windows 2000, Windows 98, Windows CE, Windows NT and Windows SP SP1. Some may work better than others. Also, if you create any new OS profiles, please send them to me so I can add them to the distribution (I'll be glad to give you credit and link to your site). I make no guarantees that it won't screw up your box, so use it with caution. OSfuscate modifies the following registry keys:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\Tcpip\Parameters\DefaultTTL
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\Tcpip\Parameters\Tcp1323Opts
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\Tcpip\Parameters\EnablePMTUDiscovery
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\Tcpip\Parameters\TcpUseRFC1122UrgentPointer
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\Tcpip\Parameters\TcpWindowSize
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\Tcpip\Parameters\SackOpts
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\Tcpip\Parameters\Interfaces\*\MTU
Download and More Info:
http://www.irongeek.com/i.php?page=security/osfuscate-change-your-windows-os-tcp-ip-fingerprint-to-confuse-p0f-networkminer-ettercap-nmap-and-other-os-detection-tools
I was wondering awhile back how one could go about changing the OS fingerprint of a Windows box to confuse tools like Nmap, P0f, Ettercap and NetworkMiner. I knew there were registry setting you could change in Windows XP/Vista that would let you reconfigure how the TCP/IP stack works, thus changing how the above tools would detect the OS. I wasn't sure what all registry changes to make, but luckily I found Craig Heffner's tool Security Cloak ( sec_cloak.exe ) and by looking at it's source I was able to figure out what to do. The needed IP stack changes were hardcoded into Security Cloak, but for my tool I decided to make it easier to update by allowing the user to add new OS fingerprint profiles as ini files. Yes, I know this is security through obscurity and the attacker can still probably figure out the OS on a box by other means, but I still think it's kind of cool to play with. If you want to try out the beta use the link below and let me know how well it works against Nmap, P0f, Ettercap and NetworkMiner:
Curret profiles include: BeOS, Checkpoint Firewall, DOS, FreeBSD, HP Unix, IBM OS400, IRIX, Linux, Novell, Palm OS 3.5, PalmOS 5.2, Playstation, Sega Dreamcast, Sun OS, Tru64, Windows 2000, Windows 98, Windows CE, Windows NT and Windows SP SP1. Some may work better than others. Also, if you create any new OS profiles, please send them to me so I can add them to the distribution (I'll be glad to give you credit and link to your site). I make no guarantees that it won't screw up your box, so use it with caution. OSfuscate modifies the following registry keys:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\Tcpip\Parameters\DefaultTTL
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\Tcpip\Parameters\Tcp1323Opts
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\Tcpip\Parameters\EnablePMTUDiscovery
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\Tcpip\Parameters\TcpUseRFC1122UrgentPointer
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\Tcpip\Parameters\TcpWindowSize
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\Tcpip\Parameters\SackOpts
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\Tcpip\Parameters\Interfaces\*\MTU
Download and More Info:
http://www.irongeek.com/i.php?page=security/osfuscate-change-your-windows-os-tcp-ip-fingerprint-to-confuse-p0f-networkminer-ettercap-nmap-and-other-os-detection-tools