Thwarting Remote OS Fingerprinting

Eric Kluthe 

What is OS fingerprinting?

Sending packets, usually ICMP and TCP, and recording the responses that come back.

In order to get optimal results, Nmap and other tools use a handful of specially crafted packets in order to accurately fingerprint and detect an OS. 

An example of fingerprinting

The ICMP echo test 

ICMP packet structure

An Example - The ICMP echo test

In this test we send out two packets with the following attributes set: 

Packet 1: IP DF bit set, TOS byte value of 0, an ICMP code of 9 (should be 0), Sequence # of 295, and 125 bytes of 0's as a payload. 

Packet 2: TOS of four (IP_TOS_RELIABILITY), a code of 0, 150 bytes of random data. 

What do we get in return? 

Windows 2008 Server: 

        IE(R=Y%DFI=N%TG=80%CD=Z)

Ubuntu 10.04:

        IE(R=Y%DFI=N%T=40%CD=S)

Notice the differences? 

My Research1. Find out what software packages are out there for both OS detection and evasion. 

2. Test these tools using Backtrack 5, clean install of Ubuntu 10.04, and a clean install of Windows Server 2008. 

3. Firewall all of the non-public services off from the public. 

4. Test again and record results.

5. Install OS evasion software. Disable firewall. 

6. Test again and record results. 

7. Enable firewall and evasion software

8. Test again and record results. 

 

What ended up happening? 

1. The only detection tools that are still being updated are Nmap, and SinFP. 

2. There are no fingerprint evasion tools that work for operating systems made within the past 4 years. 

3. Since I knew how the fingerprinting software worked, I was able to mess with some TCP variables in the operating system to mimic the evasion tools. 

4.Success. 

ResultsClean    Nmap: Detected Both Perfectly     SinFP: Detected Both Perfectly

With FW rules in place    Nmap: Detected both perfectly.     SinFP: Detected both perfectly. 

After changing the TCP values (MTU, Win Size, default TTL, etc.)    Nmap: Ubuntu 10.04 turned into a Linksys WRV54G WAP.                   Windows: No exact match, but guessed it anyway.     SinFP: Completely failed on both, no fingerprint found.

Results

After implementing both FW rules and changing the tcp values:     Nmap: Ubuntu machine returned no OS matches.                    Windows machine returned no exact matches but                                        guessed with equal probability that it was either windows, or freeBSD. 

    SinFP: Failed. 

Results

-Created a script that makes an Ubuntu machine look like a Linksys router. 

-Would have been easy to make a small script for Windows. 

Conclusions

1. Tools need to be updated or recreated for newer OS's. 

2. It is pretty easy to change the profile of your machine and fool the detection/fingerprinting software. 

3. You should probably lock down the services on your machine's anyway...

4. Messing with the TCP/IP values may introduce performance issues. (Future research?)