Wednesday, October 15, 2008

Obfuscating Your OS TCP Stack or The Way To OSfuscate

Just another TCP post!
There is many tools for TCP/IP Stack Fingerprinting to figure out the target Operation System.all these tools use fixed methods.Normally these software send an SYN and wait for SYN/ACK , when they receive that packet(or any response to their request) they analyze the packet for Flag's value and guess the OS.
Fyodor listed TCP/IP stack Fingerprinting methods in his article(nmap fingerprinting) and that list contains below methods:
The FIN probe, The BOGUS flag probe, TCP ISN Sampling, Don't Fragment bit, TCP Initial Window, ACK Value, ICMP Error Message Quenching, ICMP Message Quoting, ICMP Error message echoing integrity, Type of Service, Fragmentation Handling, TCP Options, SYN Flood Resistance

these method supported by nmap.
there is a picture from Network Miner tool that show some active and passive fingerprinting result for a single IP address.


It's currently a Vista BoX that is with it's default configuration.
after some changes you can see that p0f and Ettercap can not detect the OS.although satori can detect by analyzing DHCP packets.It seems that windows does not allow you to modify it's DHCP packet configuration as well as TCP.
this tool change some value in your windows registry that include these keys:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\DefaultTTL
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Tcp1323Opts
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\EnablePMTUDiscovery
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\TcpUseRFC1122UrgentPointer
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\TcpWindowSize
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\SackOpts
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\*\MTU


here you can see result of nmap OS fingerprinting scan before and after using this tool:

before:
nmap -T Aggressive -O 192.168.1.123
PORT STATE SERVICE
3389/tcp open ms-term-serv
5357/tcp open unknown
MAC Address: 00:1A:70:3C:A6:3D (Cisco-Linksys)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running (JUST GUESSING) : FreeBSD 6.X (92%), OpenBSD 4.X (92%), Microsoft Windows Vista (86%)
Aggressive OS guesses: FreeBSD 6.2-RELEASE (92%), OpenBSD 4.3 (92%), Microsoft Windows Vista (86%), Microsoft Windows Vista Home Basic (86%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 1 hop


and after:
nmap -T Aggressive -O 192.168.1.123
PORT STATE SERVICE
3389/tcp open ms-term-serv
5357/tcp open unknown
MAC Address: 00:1A:70:3C:A6:3D (Cisco-Linksys)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running (JUST GUESSING) : FreeBSD 6.X (96%), OpenBSD 4.X (96%)
Aggressive OS guesses: FreeBSD 6.2-RELEASE (96%), OpenBSD 4.3 (96%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 1 hop


it's not a stable and complete tool, and by the way using this tool is at your own risk!!! it's recommended to use it on a virtual machine OS if you wanna try it out.

it was just an introduce to this tool and real post is at irongeek, check out and there you can download OSfuscate 0.3(current version).

[update] : although all these works dizzy some tools,but still if your network use DHCP IP addressing,it's easy to figure out your OS by using satori.thanks Eric for the sake of reminding my mistake.I appreciate Eric and his good work;)
I'll try to works on it more in my future free times.
By the way anyone can access satoori from here.

2 comments:

xnih said...

What is the date on the dhcp.xml file in networkminer? Just curiuos as the author of Satori and seeing that it misidentified Vista. I'm hoping it is just because the version of the file NetworkMiner is using is out of date. You could always trying downloading Satori and seeing how it identifies the machine by itself.

sCORPINo said...

Thanks for the comment Eric.
I made a mistake, so i updated my post and added some line to the end for the sake of this mistake.
keep on your good job.
cheers