Skip to main content
SpringerLink
Log in

IpMorph: fingerprinting spoofing unification

  • Original Paper
  • Published:
Journal in Computer Virology Aims and scope Submit manuscript

Abstract

There is nowadays a wide range of TCP/IP stack identification tools that allow to easily recognize the operating system of foreseen targets. The object of this article is to show that fingerprint concealment and spoofing are uniformly possible against different known fingerprinting tools. We present IpMorph, counter-recognition software implemented as a user-mode TCP/IP stack, ensuring session monitoring and on the fly packets re-writing. We detail its operation and use against tools like Nmap, Xprobe2, Ring2, SinFP and p0f, and we evaluate its efficiency thanks to a first technical implementation that already covers most of our objectives.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Similar content being viewed by others

References

  1. Smart, M., Malan, G.R., Jahanian, F.: Defeating TCP/IP stack fingerprinting. In: Proceddings of the 9th USENIX Security Symposium. http://www.usenix.org/events/sec00/full_papers/smart/smart_html/index.html

  2. Fyodor: Remote OS detection via TCP/IP stack fingerprinting. http://www.insecure.org/nmap/nmap-fingerprinting-article.txt

  3. Spangler, R.: Analysis of remote active operating system fingerprinting tools, ettercap, Nmap and other OS detection tools. http://www.packetwatch.net/documents/papers/osdetection.pdf (2008)

  4. Auffret, P.: SinFP, unification de la prise d’empreinte passive et active des systèmes d’exploitation, SSTIC 2008. http://www.gomor.org/bin/view/GomorOrg/ConfSstic2008

  5. Veysset, F., Courtay, O., Heen, O.: New tool and technique for remote operating system fingerprinting. http://www.ouah.org/ring-full-paper.pdf (2002)

  6. Smith, C., Grundl, P.: Know your enemy: passive fingerprinting. http://old.honeynet.org/papers/finger/ (2002)

  7. Berrueta, D.B.: A practical approach for defeating Nmap OS-fingerprinting. http://nmap.org/misc/defeat-nmap-osdetect.htm (2003)

  8. Trifero, S., Callaway, D.: Linux stealth patch. http://www.innu.org/~sean/ (2002)

  9. Rehmet, G.: FreeBSD blackhole. http://www.gsp.com/cgi-bin/man.cgi?section=4&topic=blackhole

  10. McCabe, R.: IPlog. http://ojnk.sourceforge.net/stuff/iplog.readme (2001)

  11. Hartmeier, D.: OpenBSD packet filter. http://www.openbsd.org/faq/pf/index.html

  12. Crenshaw, A.: OSfuscate: change your windows OS TCP/IP fingerprint to confuse P0f, NetworkMiner, ettercap, Nmap and other OS detection tools. http://www.irongeek.com/i.php?page=security/osfuscate-change-your-windows-os-tcp-ip-fingerprint-to-confuse-p0f-networkminer-ettercap-nmap-and-other-os-detection-tools (2008)

  13. Provos, N.: Honeyd: a virtual honeypot daemon. http://www.citi.umich.edu/u/provos/papers/honeyd-eabstract.pdf (2003)

  14. Wang, K.: Frustrating OS fingerprinting with morph. http://www.synacklabs.net/projects/morph/Wang-Morph-TheFifthHOPE.pdf (2004)

  15. BridNet SSTIC 2005. http://www.bridnet.fr/files/23/sstic2005_bridnet.pdf

  16. Hynesim http://www.hynesim.org

  17. A painless guide to CRC error detection. http://www.repairfaq.org/filipg/LINK/F_crc_v3.html

  18. CRC and how to reverse it. http://www.codebreakers-journal.com/downloads/cbj/2004/CBJ_1_1_2004 Anarchriz_CRC_and_how _to_Reverse_it.pdf

  19. Veysset, F., Courtay, O., Heen, O.: Détection des systèmes d’exploitation avec RINGv2 Actes SSTIC 2003

Download references

Author information

Authors and Affiliations

  1. Diateam: Architectes de l’information, 41, rue Yves Collet, 29200, Brest, France

    Guillaume Prigent & Florian Vichot

  2. Laboratoire d’Informatique des Systèmes Complexes (LISyC), Technopôle Brest Iroise, 29280, Plouzané, France

    Fabrice Harrouet

Authors
  1. Guillaume Prigent
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Florian Vichot
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Fabrice Harrouet
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Guillaume Prigent.

Additional information

The IpMorph software is distributed under the GPLv3 license. This independent project is based on our previous works, and mainly derives from a specific need in the “Hynesim” network architecture simulation project (DGA-CELAR/SSI-AMI government contract, http://www.hynesim.org).

Rights and permissions

Reprints and permissions

About this article

Cite this article

Prigent, G., Vichot, F. & Harrouet, F. IpMorph: fingerprinting spoofing unification. J Comput Virol 6, 329–342 (2010). https://doi.org/10.1007/s11416-009-0134-4

Download citation

  • Received:

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s11416-009-0134-4

Keywords

Search

Navigation