Avoiding OS fingerprinting in Windows

[Irongeek] has been working on changing the OS fingerprint of his Windows box. Common network tools like Nmap, P0f, Ettercap, and NetworkMiner can determine what operating system is being run by the behavior of the TCP/IP stack. By changing this behavior, you can make your system appear to be another OS. [Irongeek] started writing his own tool by checking the source of Security Cloak to find out what registry keys needed to be changed. His OSfuscate tool lets you define your own .os fingerprint file. You can pretend to be any number of different systems from IRIX to Dreamcast. Unfortunately this only works for TCP/IP. Other methods, like Satori‘s DHCP based fingerprinting, still work and need to be bypassed by other means. Yes, this is just “security through obscurity”, but it is something fun to play with.

Comments

  1. happypinguin says:

    The best way to change your windows fingertip is to replace it with linux. 100% guaranteed.

  2. aka-44 says:

    notta hack.

  3. Dan says:

    Oh piss off with the ‘not a hack’ posts. We get it, it /isn’t/ a hack, but for what it’s worth, some of these posts are quite informative otherwise. So, if you don’t like it, don’t think it’s a hack, or are just posting for the sake of it, lay off. You can go out, start your own blog, and try to find a minimum of one innovative hack a day.

    ‘Nuff said.

  4. Circs says:

    Actually I found this quite interesting. I’d really like my server to show up as a dreamcast. It just adds another layer of obscurity, which alone isn’t the best defense, but combined with other security measures is pretty cool.

    @happypenguin: Although my entire network and my cluster are all Linux I’m going to have to say that stating windows’ inferiority and treating win users like they’re below you isn’t going to win many converts.

    @aka-44: Have you done better? On the chance you have, submit it to hack a day. (However personally I’d like to put your internet in read only mode.)

  5. Wwhat says:

    I would not let a utility change my network settings without knowing exactly what it changed, look at the MTU changes for instance, that alone can already thoroughly mess up your network, that’s not just ‘fun’ but has quite an impact on your system.

  6. richo says:

    Erm.. to all you “linux is t3h r0xors!” Kiddies, what basis for comparison have you got? I’ve run linux for 10+ years, but it’s not the be all and end all. Right now i’m on osX, at work i’m on vista. My server is FreeBSD. One of my DB machines is Irix, another HP UX. Horses for courses, as all things.

    That said, windows machines SHOULD NOT be exposed to unfriendlies, and SHOULD NOT be responsible for their own security.

    My windows networks pull everything from their Unix domain controller.

  7. Mark Esler says:

    Props to Iron Geek again.. he always seems to pump out some good stuff.. and is responsive in emails too.

  8. Circs says:

    I’d like to draw attention to this for the whiny penguins among us.

    53.7% of Hack-a-day’s readers hit this site with XP, while only 8.5% are using Linux. http://www.sitemeter.com/?a=stats&s=sm6hackaday&r=19

    @wwhat: Sounds like a way to learn a lot about your network to me. Also I’m pretty certain that he *does* tell you exactly what it changes, right on the page H-a-D links to.

    @richo: Linux in my opinion is the best out there, I’ve been using most anything you can name since about 89. However I have one rig that dual boots… So i guess i can see some of your point.

    And mad props to iron geek for getting more in depth in these kind of oddities.

  9. Wwhat says:

    I saw the page and the mention of mtu and scaling, but that’s not all it does, but I hope the program does report it all.
    And it can be damn hard to get to the bottom of what windows does in regards to its TCP stack, I’ve been there, half of it is undocumented and more than half controlled by registry settings, which again are very specific to which windows and which version pack, but that part is also poorly documented, the microsoft site lists some stuff as being applicable to w2k but it is in fact functional in XP, but not all of it, only testing can tell, it’s quite the mess trying to get to the bottom of stuff.
    Oh and did I mention some registry settings are only used when other settings are set in a specific way, and/or have been added by the user because they are not present by default?
    Nightmarish.

  10. choyal says:

    if we are using iplog this will also help us in making OS detection fail because all tools are use winpcap library to check.

  11. Cool site! I’m definitely looking forward to reading more :)

  12. adding to twitter this is great info.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Follow

Get every new post delivered to your Inbox.

Join 96,699 other followers