Yes it is possible, you can use a tool called iplog: IPlog is a TCP/IP logger that can detect some scans (XMAS, FIN, SYN, ACK ,etc). It also has an option (-z) that allows to fool Nmap queries, and, although you can't behave as other OS, you can completely fool Nmap to avoid remote OS fingerprinting.
[EMAIL PROTECTED] /]# iplog -o -L -z -i eth0 [EMAIL PROTECTED] /]# nmap -vv -sS -O -10.0.0.2 Starting nmap 3.30 ( http://www.insecure.org/nmap/ ) at 2003-07-08 09:33 ICT Insufficient responses for TCP sequencing (1), OS detection may be less accurate Insufficient responses for TCP sequencing (1), OS detection may be less accurate Insufficient responses for TCP sequencing (1), OS detection may be less accurate Interesting ports on webconsole (10.0.0.2): (The 1599 ports scanned but not shown below are in state: closed) Port State Service 22/tcp open ssh 443/tcp open https No exact OS matches for host (If you know what OS is running on it, see http://www.insecure.org/cgi-bin/nmap-submit.cgi). TCP/IP fingerprint: SInfo(V=3.10ALPHA4%P=i586-pc-linux-gnu%D=2/20%Time=3E54C833%O=9%C=1) T1(Resp=Y%DF=Y%W=7FFF%ACK=S++%Flags=AS%Ops=MNNTNW) T2(Resp=Y%DF=N%W=0%ACK=O%Flags=BA%Ops=) T2(Resp=Y%DF=Y%W=100%ACK=O%Flags=BARF%Ops=) T2(Resp=Y%DF=Y%W=100%ACK=O%Flags=BPF%Ops=) T3(Resp=Y%DF=N%W=0%ACK=O%Flags=BA%Ops=) T4(Resp=Y%DF=Y%W=0%ACK=O%Flags=R%Ops=) T5(Resp=Y%DF=Y%W=0%ACK=S++%Flags=AR%Ops=) T6(Resp=Y%DF=Y%W=0%ACK=O%Flags=R%Ops=) T7(Resp=Y%DF=N%W=0%ACK=O%Flags=BA%Ops=) T7(Resp=Y%DF=Y%W=0%ACK=S++%Flags=AR%Ops=) PU(Resp=Y%DF=N%TOS=C0%IPLEN=164%RIPTL=148%RID=E%RIPCK=E%UCK=E%ULEN=134%D AT=E) In this example, nmap is no clever enough to guess the OS. But to completely fool nmap to give a false OS like (Play Station, Sega Dreamcast,etc), you would need a kernel patch/ module..... Nawapong Nakjang IT Security Specialist Security Team, Network Operation Center KSC Commercial Internet Co, Ltd. E-Mail: [EMAIL PROTECTED] -----Original Message----- From: vincent [mailto:[EMAIL PROTECTED] Sent: Sunday, July 06, 2003 1:42 AM To: [EMAIL PROTECTED] Subject: Tweaking /proc to avoid fingerprinting I was watching some traffic and trying to figure out from what OS the packets came from by their TTL, Window Size, etc. Since then I have been changing around just about every proc entry trying to confuse some of the tools that pull these values. And it works fine for tools like disco, p0f, but nmap is still to clever. Is it possible to fool nmap without using any types of kernel mods, or iptables filtering? Also something else seems odd to me I have /proc/sys/net/ipv4/icmp_echo_ignore_all set to 1 but still reply to pings. The ping problem I'll probably find within another few minutes, but searching for filtering with /proc entries is difficult due to all the iptables scripts with keywords. Thanks in advance if you have any documentation or advice. ------------------------------------------------------------------------ --- Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top analysts! The Gartner Group just put Neoteris in the top of its Magic Quadrant, while InStat has confirmed Neoteris as the leader in marketshare. Find out why, and see how you can get plug-n-play secure remote access in about an hour, with no client, server changes, or ongoing maintenance. Visit us at: http://www.neoteris.com/promos/sf-6-9.htm ------------------------------------------------------------------------ ---- --------------------------------------------------------------------------- Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top analysts! The Gartner Group just put Neoteris in the top of its Magic Quadrant, while InStat has confirmed Neoteris as the leader in marketshare. Find out why, and see how you can get plug-n-play secure remote access in about an hour, with no client, server changes, or ongoing maintenance. Visit us at: http://www.neoteris.com/promos/sf-6-9.htm ----------------------------------------------------------------------------
