PF TCP/IP stack passive OS Fingerprinting

G

getopt

With /etc/sysctl.conf
Code: 
# prevent OS fingerprinting
net.inet.tcp.drop_synfin=1

and /etc/pf.conf
Code: 
##### Normalization #####
scrub in on $ext_if all fragment reassemble no-df
scrub out log on $ext_if all random-id
scrub     log on $ext_if all reassemble tcp

##Block OS Fingerprinting
block in log quick on $ext_if proto tcp flags FUP/WEUAPRSF
block in log quick on $ext_if proto tcp flags WEUAPRSF/WEUAPRSF
block in log quick on $ext_if proto tcp flags SRAFU/WEUAPRSF
block in log quick on $ext_if proto tcp flags /WEUAPRSF
block in log quick on $ext_if proto tcp flags SR/SR
block in log quick on $ext_if proto tcp flags SF/SF
##End of Block OS Fingerprinting

These tests still detect
https://www.browserleaks.com/
https://www.doileak.com/
Code: 
TCP/IP stack OS Fingerprinting
Passive, SYN	FreeBSD 9.x or newer | Language: Unknown | Link: PPPoE | MTU: 1492 | Distance: 8 Hops

Trying to follow https://nmap.org/misc/defeat-nmap-osdetect.html#BSD I still cannot defeat the passive TCP OS Fingerprinting.

What am I missing?
 
Those settings do nothing to your outgoing traffic. So it's possible to have a javascript create a connection and based on certain flags of the SYN/SYN-ACK/ACK handshake determine the OS.
 
Drop the flag madness, those rules do absolutely nothing to make your systems more secure, especially since you have chosen to use scrub that normalizes any anomalous traffic with weird flag combinations.

A good start for a measure that actually works would be to use a scrub rule like this:

Code: 
scrub on $ext_if all fragment reassemble no-df random-id
 
SirDice said:
Those settings do nothing to your outgoing traffic. So it's possible to have a javascript create a connection and based on certain flags of the SYN/SYN-ACK/ACK handshake determine the OS.
Click to expand...
Tests with the links above can be made with Javascript disabled in the browser. They still detect OS FreeBSD.
 
Here's a way to prevent nmap's OS fingerprinting:

1. Find out how it actually works.
2. Then block matching packets (e.g. via ipfw).


Also, make sure you're not leaking data via banners, etc:

Code: 
# : | nc -N localhost 22
SSH-2.0-OpenSSH_7.2 FreeBSD-20160310
# echo "VersionAddendum none" >>/etc/ssh/sshd_config
# service sshd restart
...
# : | nc -N localhost 22
SSH-2.0-OpenSSH_7.2
#
 
You must log in or register to reply here.
Back
Top