passive os fingerprint change to MacOS - linux

Ubuntu 16.04 server, proxy raised on the server (3proxy). When connected via a proxy with macbook, OS Fingerprint is defined as Linux 3.11 and never [fuzzy] (http://witch.valdikss.org.ru/)
At the moment, using non-complex manipulations with the /etc/sysctl.conf kernel settings, it turns out to change to Android (Linux 2.2.x-3.x [generic] [fuzzy]) and Windows NT.
Need to change the OS Fingerprint, so that http://witch.valdikss.org.ru/ defines the connection as Mac OS X [generic] [fuzzy]

According to p0f README "one of the most valuable TCP fingerprinting signal" is TCP options layout. Applied to MacOS and Linux fingerprint entries this means we should change layout from:
mss,sok,ts,nop,ws
to
mss,nop,ws,nop,nop,ts,sok,eol+1
This cannot be done by sysctl since Linux kernel hardcode this order into tcp_connect syscall: https://github.com/torvalds/linux/blob/bab5c80b211035739997ebd361a679fa85b39465/net/ipv4/tcp_output.c#L458
So you must write netfilter kernel module to mangle TCP options later like TCPMSS module does:
https://github.com/torvalds/linux/blob/master/net/netfilter/xt_TCPMSS.c.
Either patching tcp_connect or writing custom netfilter module requires strong kernel programming skills.
Another option is to somehow intercept TCP SYN/SYN+ACK packets by user-space program (maybe nfqueue or tproxy with raw sockets can help), mangle it and write back to kernel. This can significantly hurt performance but easier to implement.
UPD: I've googled some working and dirty example of this technique based on nfqueue/python: https://forums.hak5.org/topic/33532-p0f-mangler/

Related

How do libraries like Scapy, Npcap, WinPcap, etc., get around Window's limitations on sending raw TCP packets?

I learned the hard way that modern Windows machines do not permit sending TCP data over raw sockets after trying to perform the TCP handshake myself in Python. And yet Scapy, a Python library, is able to do it seemingly just fine. Other libraries, like Npcap and WinPcap, also seem to be able to send raw TCP data just fine on Windows. How is this possible? What are these libraries doing under the hood that enables them to bypass this limitation?
WinPcap (the windows implementation of libpcap) authors say in their website:
WinPcap consists of a driver that extends the operating system to provide low-level network access and a library that is used to easily access low-level network layers.
So the answer to your question would be: in windows, the implementation of libpcap (which is what Scapy uses according to their site) uses a driver to get access to the low-level networking stuff

Permanently save Netlink Sockets changes

In order to set Network Interfaces on Ubuntu 16.04 LTS I've recently developed a C program which takes advantage of Netlink Sockets for interprocess communication between User-Space and Kernel-Space.
After having successfully changed the ip/gateway/netmask addresses (emulating some iproute2 functions), I need to permanently save these changes. Indeed, after reboot these changes are dropped.
I don't want to change the /etc/network/interfaces file nor use Network Manager, but programmatically communicate with the Linux Kernel.
There is any way of doing it?
Regards

bypass nmap and change OS CPE in ubuntu

how can i change OS CPE in ubuntu.
this is my CPE: OS CPE: cpe:/o:linux:linux_kernel:3
when scanning with nmap leakage all my OS properties . but I need to change the original information to fake information.
My main goal is that the nmap scanner can not identify the type of operating system
This question should be more for Security StackExchange. Anyway...
There are ways to "trick" nmap fingerprinting but is not an easy task.
Nmap sends a series of TCP and UDP packets to the remote host and examines practically every bit in the responses. After performing dozens of tests such as TCP ISN sampling, TCP options support and ordering, IP ID sampling, and the initial window size check, Nmap compares the results to its nmap-os-db database of more than 2,600 known OS fingerprints and prints out the OS details if there is a match.
You can mock some tools detection spoofing the banner or signature. But if you want to mock the OS fingerprinting is not an easy task. You must have a pretty comprehensive set of TCP frame sizes, keepalive functionality, packet number sequences, service banners, etc. Is a though task.
Methods to defeat Nmap OS Fingerprinting in Linux are written as kernel modules, or at least, as patches to the Linux kernel.
Look at the nmap documentation about this topic.

Ethernet frames from NIC

I'm searching for help and an opinion-advice for a network project, in which I'm working lately. This requires a Linux machine to be a passive network appliance.
Network packets come in from one network interface and come out from another interface ( net--eth0-->Linux PC--eth1-->net) without making any modifications on data.
The application, which is going to run on the Linux system, will change only the order of the packets. It is going to be a "silly" network emulator application.
The first implementation was made with RAW sockets, where read() is called every time a packet arrives to user space and write() is called when an Ethernet packet should be sent down to the NIC.
I would like to know if there is a more practical and direct way than RAW sockets, bypassing Linux's network stack.
If what you want is to bypass the kernel, DPDK in Linux and NetMap in FreeBSD are options to do just that.
Indeed this can be done in dpdk in Linux. There are l3fw and l2fwd sample applications in the examples folder of the dpdk tree, which may inspire you. Also consider using vpp, a fd.io project hosted by Linux Foundation, which can use dpdk.
Rami Rosen

How do I enable TCP MD5 Signatures on CentOS

After a small amount of research it seems that TCP MD5 Signatures are enabled on CentOS, but our PCI security software has indicated that our machines are not actually using it. How do I configure CentOS to use TCP MD5 Signatures?
Edit:
I was thinking that this was a global setting, but it is actually a per-socket setting. This means the application that is creating the socket (in this case Sun Application Server) has to be the one to specify this option.
TCP-MD5 is part of the Linux kernel; you will only have the capability if your kernel is compiled with the option enabled (you may be able to dump /proc/config.gz and if so, grep for CONFIG_TCP_MD5SIG) - the second part is an application that will actually perform the setsockopt() to enable TCP_MD5 for that connection.
If CentOS is anything like RHEL, the kernel config should be under /boot.
grep TCP_MD5 /boot/config-*
Otherwise, yes, it's a somewhat undocumented option to setsockopt().
Perhaps you are referring to TCP SYN cookies. To enable them:
# echo 1 > /proc/sys/net/ipv4/tcp_syncookies

Resources