# The confusing nmap thread/IP Personality

## Vanquirius

Hello, 

I recently installed a mini-server, and I am looking forward to see what type of funky stuff I can do  :Smile: . I had originally installed Gentoo, but since I am really constrained by hard-disk space I ended up installing Conectiva (apt-get is not as good as emerge, but it will do... - don't worry, Gentoo is still my favorite and what I have on my desktop). 

Anyway, on to the interesting part: 

I know some sites do this, and I figured, why not try to do it here as well - why not create confuse fingerprints so that nmap and other tools think I'm using another OS? Winblows, BeOS, whatever  :Smile: ...

A simple scan makes a correct guess:

```

Device type: general purpose

Running: Linux 2.4.X|2.5.X

OS details: Linux Kernel 2.4.0 - 2.5.20

Uptime 2.321 days (since Mon Jul 28 13:19:40 2003)

```

I don't *need* to confuse any internet scanners, but I think it is worth the fun of it... 

I know I may be asking for too much, so I don't expect to be handed out any exact answer (although it would also be very appreciated), but it would be nice if anyone could point out some reading I could use.

----------

## idl

This isn't easy, period. 

Detection is done by using tcp/ip sequence fingerprints. Basicly, sequence information thats sent back when varios tests are performaed on open ports on the target. Each OS's implementation of the TCP/IP stack have different sequence fingerprints for the various tests, some test may be the same but with the inclusion of data from the other tests, an identification can be made.

So unless you're interested in implementing your own tcp/ip stack, I'd aim your sights a little lower  :Wink: 

----------

## devon

I would do a Google search as some links did appear.  Check out http://www.google.com/search?hl=en&lr=&ie=UTF-8&oe=UTF-8&q=nmap+fake+os+fingerprint&btnG=Google+Search.

Although, like port001 said, it does look like you have to make some kernel modifications.

----------

## verbatim

The grsecurity linux kernel patch will make it unidentifiable as any known OS to nmap.

----------

## Vanquirius

Thanks for your replies  :Smile: . 

Devon, you had just the perfect keywords I was looking for. I ended up finding IP Personality. Seems to be just the right tool for the job --- it is a plain and simple netfilter patch. It sets a target for Iptables, which can be used to load one of the pre-defined configs. The configs are the really nice part of all (part of dreamcast config):

```
      tcp_decoy {

        code {

          if (option(mss)) { /* nmap has mss on all of its pkts */

            set(df, 0);

            if (listen) {

              if (flags(syn&ece)) { /* nmap test 1 */

                set(win, 0x1D4C);

                set(ack, this + 1);

                set(flags, ack|syn);

                insert(mss, this+1);

                reply;

              }
```

Gorgeous code  :Smile: . I'll give it a shot.

----------

## idl

 *ManuChao wrote:*   

> Thanks for your replies . 
> 
> Devon, you had just the perfect keywords I was looking for. I ended up finding IP Personality. Seems to be just the right tool for the job --- it is a plain and simple netfilter patch. It sets a target for Iptables, which can be used to load one of the pre-defined configs. The configs are the really nice part of all (part of dreamcast config):
> 
> ```
> ...

 

nice   :Shocked:   :Very Happy: 

----------

## Vanquirius

Ok, if anyone took a look at IP Personality, you've seen it that it has patches for kernel 2.4.18 and iptables-1.2.2. Using vanilla-sources allows the patch to work normally and compile properly. 

However, 2.4.18 is obviously outdated, so I tried to create a patch for gentoo-2.4.20-r5 . After some struggle, I got everything to compile apparently properly, but when I try to insmod ipt_PERS I get an unresolved symbol error: 

```
bash-2.05b# insmod ipt_PERS

Using /lib/modules/2.4.20-gentoo-r5/kernel/net/ipv4/netfilter/ipt_PERS.o

/lib/modules/2.4.20-gentoo-r5/kernel/net/ipv4/netfilter/ipt_PERS.o: unresolved symbol ip_conntrack_get_R2gig_1555a342

/lib/modules/2.4.20-gentoo-r5/kernel/net/ipv4/netfilter/ipt_PERS.o:

Hint: You are trying to load a module without a GPL compatible license

      and it has unresolved symbols.  Contact the module supplier for

      assistance, only they can help you.

```

I haven't tackled iptables yet. Anyone willing to give me a hand?

IP Personality:

http://heanet.dl.sourceforge.net/sourceforge/ippersonality/ippersonality-20020427-2.4.18.tar.gz

My patch for gentoo-sources-2.4.20-r5: 

http://nibirutech.no-ip.com/dl/src/ippersonality-gentoo-2.4.20-r5.tar.gz

Files I played with:

```
include/linux/netfilter_ipv4/ip_conntrack.h

net/netsyms.c

net/ipv4/netfilter/Config.in

net/ipv4/netfilter/Makefile
```

----------

