Find the answer to your Linux question:
Results 1 to 6 of 6
After hours and hours of hopeless searching, the closest thing I could find is this: Passive-Aggressive Resistance: OS Fingerprint Evasion | Linux Journal Unfortunately that article is from 2001, more ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined! Pyrobisqit's Avatar
    Join Date
    May 2011
    Posts
    29

    Defeating OS fingerprinting


    After hours and hours of hopeless searching, the closest thing I could find is this:

    Passive-Aggressive Resistance: OS Fingerprint Evasion | Linux Journal

    Unfortunately that article is from 2001, more than 10 years old, which renders it almost useless nowadays.

    Long story short: I don't want my server to report it's running Debian, or even Linux. I'd preferably have my server "disguised" as a Windows machine.

    Is there a way to achieve this? I saw a lot of pages suggesting kernel modules (which are for 2.2 or 2.4, pretty old too, as I'm running Debian 2.6). I couldn't come to a clear conclusion, so can anyone suggest something like this? Thanks!

  2. #2
    Linux Enthusiast
    Join Date
    Dec 2011
    Location
    Turtle Island West
    Posts
    525
    Which server? HTTP? FTP? SSH? CUPS? Samba? NFS? The answer would be particular to the individual server.

  3. #3
    Just Joined! Pyrobisqit's Avatar
    Join Date
    May 2011
    Posts
    29
    Quote Originally Posted by Miven View Post
    Which server? HTTP? FTP? SSH? CUPS? Samba? NFS? The answer would be particular to the individual server.
    I'm sorry, I think you're mistaken. OS fingerprinting is that... Relies on the OS. Doesn't matter what you're running. How could changing my HTTP server, or modifying the parameters of my current one make an attacker think it's a Windows machine instead of a Debian one? Doesn't seem to make much sense, does it?

  4. $spacer_open
    $spacer_close
  5. #4
    Trusted Penguin
    Join Date
    May 2011
    Posts
    4,353
    Quote Originally Posted by Pyrobisqit View Post
    I'm sorry, I think you're mistaken.
    no, i think he's pretty much dead-on. most programs that attempt to remotely identify a system probe a given port to see what is listening. it scoops up that info then checks out other ports and makes a best-guess after gathering all data. it might assume HTTP is on 80 and SSH is on 22, but a quick connection attempt (telnet, netcat, etc.) is usually all you need to get some preliminary information.

    read up on nmap for some great info on this. start with the nmap man page and "OS DETECTION".

  6. #5
    Just Joined! Pyrobisqit's Avatar
    Join Date
    May 2011
    Posts
    29
    Quote Originally Posted by atreyu View Post
    read up on nmap for some great info on this. start with the nmap man page and "OS DETECTION".
    Trust me, I have read both official and unofficial guides on this. Unfortunately, the nmap guide offers help with 2.2 and 2.4 kernels, not 2.6 or even 3.0, and other forums and webpages suggest iptables mangling (which no one has a guide specifically to mangling packets to "disguise" your machine).
    So, do you suggest me to change the welcome banners of the different services to make information gathering difficult? (Like the welcome banner on FTP or HTTPS)

  7. #6
    Trusted Penguin
    Join Date
    May 2011
    Posts
    4,353
    Quote Originally Posted by Pyrobisqit View Post
    So, do you suggest me to change the welcome banners of the different services to make information gathering difficult? (Like the welcome banner on FTP or HTTPS)
    that is certainly an easy place to start, yes. i would first see what services are running on my local system, and go from there. that way you don't miss servers you didn't know were running, and you can disable those as well, if you don't need them.

    try these commands to see what network servers are running:

    Code:
    nmap -n localhost
    netstat -tulnp
    modifying welcome banners, etc. is a good start, but you may find you want more control over what info is leaked out. and it could be there is no user-friendly way to do that, for certain servers. i've never tried ipmangling to do that. you may find you need to modify the source (C) code of the server binaries to truly root out any information still getting out. i know that is hard-core, though...

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •