Avoiding OS Fingerprinting In Windows

[Irongeek] has been working on changing the OS fingerprint of his Windows box. Common network tools like Nmap, P0f, Ettercap, and NetworkMiner can determine what operating system is being run by the behavior of the TCP/IP stack. By changing this behavior, you can make your system appear to be another OS. [Irongeek] started writing his own tool by checking the source of Security Cloak to find out what registry keys needed to be changed. His OSfuscate tool lets you define your own .os fingerprint file. You can pretend to be any number of different systems from IRIX to Dreamcast. Unfortunately this only works for TCP/IP. Other methods, like Satori‘s DHCP based fingerprinting, still work and need to be bypassed by other means. Yes, this is just “security through obscurity”, but it is something fun to play with.

12 thoughts on “Avoiding OS Fingerprinting In Windows

  1. Oh piss off with the ‘not a hack’ posts. We get it, it /isn’t/ a hack, but for what it’s worth, some of these posts are quite informative otherwise. So, if you don’t like it, don’t think it’s a hack, or are just posting for the sake of it, lay off. You can go out, start your own blog, and try to find a minimum of one innovative hack a day.

    ‘Nuff said.

  2. Actually I found this quite interesting. I’d really like my server to show up as a dreamcast. It just adds another layer of obscurity, which alone isn’t the best defense, but combined with other security measures is pretty cool.

    @happypenguin: Although my entire network and my cluster are all Linux I’m going to have to say that stating windows’ inferiority and treating win users like they’re below you isn’t going to win many converts.

    @aka-44: Have you done better? On the chance you have, submit it to hack a day. (However personally I’d like to put your internet in read only mode.)

  3. I would not let a utility change my network settings without knowing exactly what it changed, look at the MTU changes for instance, that alone can already thoroughly mess up your network, that’s not just ‘fun’ but has quite an impact on your system.

  4. Erm.. to all you “linux is t3h r0xors!” Kiddies, what basis for comparison have you got? I’ve run linux for 10+ years, but it’s not the be all and end all. Right now i’m on osX, at work i’m on vista. My server is FreeBSD. One of my DB machines is Irix, another HP UX. Horses for courses, as all things.

    That said, windows machines SHOULD NOT be exposed to unfriendlies, and SHOULD NOT be responsible for their own security.

    My windows networks pull everything from their Unix domain controller.

  5. I’d like to draw attention to this for the whiny penguins among us.

    53.7% of Hack-a-day’s readers hit this site with XP, while only 8.5% are using Linux. http://www.sitemeter.com/?a=stats&s=sm6hackaday&r=19

    @wwhat: Sounds like a way to learn a lot about your network to me. Also I’m pretty certain that he *does* tell you exactly what it changes, right on the page H-a-D links to.

    @richo: Linux in my opinion is the best out there, I’ve been using most anything you can name since about 89. However I have one rig that dual boots… So i guess i can see some of your point.

    And mad props to iron geek for getting more in depth in these kind of oddities.

  6. I saw the page and the mention of mtu and scaling, but that’s not all it does, but I hope the program does report it all.
    And it can be damn hard to get to the bottom of what windows does in regards to its TCP stack, I’ve been there, half of it is undocumented and more than half controlled by registry settings, which again are very specific to which windows and which version pack, but that part is also poorly documented, the microsoft site lists some stuff as being applicable to w2k but it is in fact functional in XP, but not all of it, only testing can tell, it’s quite the mess trying to get to the bottom of stuff.
    Oh and did I mention some registry settings are only used when other settings are set in a specific way, and/or have been added by the user because they are not present by default?

Leave a Reply

Please be kind and respectful to help make the comments section excellent. (Comment Policy)

This site uses Akismet to reduce spam. Learn how your comment data is processed.