Abstract
There is nowadays a wide range of TCP/IP stack identification tools that allow to easily recognize the operating system of foreseen targets. The object of this article is to show that fingerprint concealment and spoofing are uniformly possible against different known fingerprinting tools. We present IpMorph, counter-recognition software implemented as a user-mode TCP/IP stack, ensuring session monitoring and on the fly packets re-writing. We detail its operation and use against tools like Nmap, Xprobe2, Ring2, SinFP and p0f, and we evaluate its efficiency thanks to a first technical implementation that already covers most of our objectives.
Similar content being viewed by others
References
Smart, M., Malan, G.R., Jahanian, F.: Defeating TCP/IP stack fingerprinting. In: Proceddings of the 9th USENIX Security Symposium. http://www.usenix.org/events/sec00/full_papers/smart/smart_html/index.html
Fyodor: Remote OS detection via TCP/IP stack fingerprinting. http://www.insecure.org/nmap/nmap-fingerprinting-article.txt
Spangler, R.: Analysis of remote active operating system fingerprinting tools, ettercap, Nmap and other OS detection tools. http://www.packetwatch.net/documents/papers/osdetection.pdf (2008)
Auffret, P.: SinFP, unification de la prise d’empreinte passive et active des systèmes d’exploitation, SSTIC 2008. http://www.gomor.org/bin/view/GomorOrg/ConfSstic2008
Veysset, F., Courtay, O., Heen, O.: New tool and technique for remote operating system fingerprinting. http://www.ouah.org/ring-full-paper.pdf (2002)
Smith, C., Grundl, P.: Know your enemy: passive fingerprinting. http://old.honeynet.org/papers/finger/ (2002)
Berrueta, D.B.: A practical approach for defeating Nmap OS-fingerprinting. http://nmap.org/misc/defeat-nmap-osdetect.htm (2003)
Trifero, S., Callaway, D.: Linux stealth patch. http://www.innu.org/~sean/ (2002)
Rehmet, G.: FreeBSD blackhole. http://www.gsp.com/cgi-bin/man.cgi?section=4&topic=blackhole
McCabe, R.: IPlog. http://ojnk.sourceforge.net/stuff/iplog.readme (2001)
Hartmeier, D.: OpenBSD packet filter. http://www.openbsd.org/faq/pf/index.html
Crenshaw, A.: OSfuscate: change your windows OS TCP/IP fingerprint to confuse P0f, NetworkMiner, ettercap, Nmap and other OS detection tools. http://www.irongeek.com/i.php?page=security/osfuscate-change-your-windows-os-tcp-ip-fingerprint-to-confuse-p0f-networkminer-ettercap-nmap-and-other-os-detection-tools (2008)
Provos, N.: Honeyd: a virtual honeypot daemon. http://www.citi.umich.edu/u/provos/papers/honeyd-eabstract.pdf (2003)
Wang, K.: Frustrating OS fingerprinting with morph. http://www.synacklabs.net/projects/morph/Wang-Morph-TheFifthHOPE.pdf (2004)
BridNet SSTIC 2005. http://www.bridnet.fr/files/23/sstic2005_bridnet.pdf
Hynesim http://www.hynesim.org
A painless guide to CRC error detection. http://www.repairfaq.org/filipg/LINK/F_crc_v3.html
CRC and how to reverse it. http://www.codebreakers-journal.com/downloads/cbj/2004/CBJ_1_1_2004 Anarchriz_CRC_and_how _to_Reverse_it.pdf
Veysset, F., Courtay, O., Heen, O.: Détection des systèmes d’exploitation avec RINGv2 Actes SSTIC 2003
Author information
Authors and Affiliations
Corresponding author
Additional information
The IpMorph software is distributed under the GPLv3 license. This independent project is based on our previous works, and mainly derives from a specific need in the “Hynesim” network architecture simulation project (DGA-CELAR/SSI-AMI government contract, http://www.hynesim.org).
Rights and permissions
About this article
Cite this article
Prigent, G., Vichot, F. & Harrouet, F. IpMorph: fingerprinting spoofing unification. J Comput Virol 6, 329–342 (2010). https://doi.org/10.1007/s11416-009-0134-4
Received:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s11416-009-0134-4