From owner-freebsd-questions@FreeBSD.ORG Sun Feb 7 13:54:43 2010 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id C5104106566C for ; Sun, 7 Feb 2010 13:54:43 +0000 (UTC) (envelope-from sakncli@gmail.com) Received: from mail-fx0-f224.google.com (mail-fx0-f224.google.com [209.85.220.224]) by mx1.freebsd.org (Postfix) with ESMTP id 5BDFD8FC18 for ; Sun, 7 Feb 2010 13:54:42 +0000 (UTC) Received: by fxm24 with SMTP id 24so1693437fxm.3 for ; Sun, 07 Feb 2010 05:54:42 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:date:message-id:subject :from:to:content-type; bh=7ZStjShPxPH16Op8YFlWdJwO37/cA6CdSJ8LUItdRCY=; b=nmJ4lqVUYMwSrBX/H+Qvv5BXVyw14Mc+5K6SDJKeMTQi/Sc/FNdVgdMzVoqMIXyGEp 9YsohhGBBPgqFsEPnG+G91XzsGiJ+yvzeDVXFdCaG+lh3//5knt/Dz17uGfPUASkCHvg JxElKIzbug9z7xBakHxEigI/GOYsU77aOEMKQ= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:date:message-id:subject:from:to:content-type; b=Ww03gtq1M0r55A4LwyBN8RjT6Ba/D9jFrmvXQv7rP+KhmQ5ToxAjXR5a6/qHjUHfN3 cS3nN2/RSQ/F0HXWBPdBRiP9aUfhhWGBrLm5cqAfFyL2dC8PlfENH0dzuUWd/UE6Kqzm ayxoIMgnu7BgAV+PNx0RP3OqZ7OcBT23qXUmk= MIME-Version: 1.0 Received: by 10.87.16.39 with SMTP id t39mr3844452fgi.46.1265550881788; Sun, 07 Feb 2010 05:54:41 -0800 (PST) Date: Sun, 7 Feb 2010 15:54:41 +0200 Message-ID: <97371e801002070554n7a76a85fnbcce0cea7127cdb9@mail.gmail.com> From: yavuz To: freebsd-questions@freebsd.org Content-Type: text/plain; charset=ISO-8859-1 X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: Cheating OS fingerprinting X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 07 Feb 2010 13:54:43 -0000 Hi all, I want to cheat os fingerprinting tools ( primary nmap) in my freebsd machine. Assume I am using freebsd 8 and I want to be seen as a windows xp machine when someone scans my ports. In order to determine target host's OS, nmap sends seven TCP/IP crafted packets (called tests) and waits for the answer. Results are checked against a database of known results (OS signatures database). If the answer matches any of the entries in the database, it can guess that the remote OS is the same that the one in the database. Some Nmap packets are sent to an open port and the others to a closed port; depending on that results, the remote OS is guessed. So to cheat nmap, I have to analyze all incomming packets (as a firewall) and if a test packet coming from a scanner is found I have to give appropriate reply packet (depending on the os signature I want to use). IPPersonality is an old linux patch does the same job. I want to implement a freebsd tool that cheats os fingerprinting. As I said, I have to analyze all incomming packets as a firewall and do some job if packets are comming from a scanner. Can I implement this feature as a patch to PF, or does PF provides some mechanisms to write extension modules? Can you give any advices? Where is to start:) best regards... yavuz