FreeBSD 8.1 PF OS Fingerprinting

[phil10]

Hello there,

i've got a question about the capabilities of the built-in packetfilter from OpenBSD.

Basically, what i want to do is to simulate the network behaviour of a different os to fool tools like nmap into believing the machine runs a different OS.
What i tried to do was the following:

nic="em0"
nic2="lo0"

set fingerprints "/etc/pf.os"

pass in on $nic from any os "Windows 2000"
pass in on $nic2 from any os "Windows 2000"

nmap still identifies my machine as running FreeBSD. I tried setting

pass out on $nic to any os "Windows 2000"

which gives me a parsing error when reloading the configuration file.

Does anyone of you know what the problem here might be?

best regards, phil10

 

[DutchDaemon]

Whatever gave you the idea that pf.os(5) can be used to masquerade as a different operating system? It's used to detect the operating system connecting to it.

DESCRIPTION
     The pf(4) firewall and the tcpdump(1) program can both fingerprint the
     operating system of [B]hosts that originate an IPv4 TCP connection[/B].

Your 'pass in' rules allow Windows 2000 machines to connect to you.

 

[phil10]

Thanks for the quick reply. I actually thought it would be possible to do such things.

 

[richardpl]

It is, with modified source for kernel.

 

[phil10]

It is, with modified source for kernel.

Are there any directions you could point me to?

 

[phil10]

I haven't seen any options to edit posts, thats why i write it here.

What i meant by directions was, are there any sites having worked on that? I mean it would be possible to modify the TCP stack of the kernel so that nmap wouldn't be quite easily able to identify the running OS. The problem is simulation the same behaviour as Windows 2k or some other OS.

 

[richardpl]

Google for "tcp freebsd fingerprint". There is even wikipedia entry.