nmap fingerprint

Robert Millan rmh@debian.org
Tue, 22 Mar 2005 22:44:05 +0100 

--n8g4imXOkfNTN/H1
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline


Hi!

I've made this pair of patches (one for kfreebsd and one for nmap) that makes
our kernel produce slightly different tcp/ip fingerprints than unmodified
kernel of FreeBSD, and nmap able to identify our version.

The idea is that with this change GNU/kFreeBSD webservers no longer will be
miss-identified as FreeBSD in places like netcraft (www.netcraft.com), etc.

Any comments?  I would appreciate some testing on the patch before committing
it (specialy because I'm not sure if reducing the max window size could have
undesired effects).

-- 
 .''`.   Proudly running Debian GNU/kFreeBSD unstable/unreleased (on UFS2+S)
: :' :
`. `'    http://www.debian.org/ports/kfreebsd-gnu
  `-

--n8g4imXOkfNTN/H1
Content-Type: text/plain; charset=us-ascii
Content-Disposition: attachment; filename="nmap.diff"

--- /usr/share/nmap/nmap-os-fingerprints.old	2005-03-22 23:24:57.000000000 +0100
+++ /usr/share/nmap/nmap-os-fingerprints	2005-03-22 23:27:23.000000000 +0100
@@ -5161,6 +5161,17 @@
 T7(DF=Y%W=0%ACK=S%Flags=AR%Ops=)
 PU(DF=N%TOS=0%IPLEN=38%RIPTL=148%RID=E%RIPCK=E%UCK=0%ULEN=134%DAT=E)
 
+Fingerprint GNU/kFreeBSD with 5.3 kernel on x86 
+Class FreeBSD | FreeBSD | 5.X | general purpose 
+T1(DF=Y%W=FFFE%ACK=S++%Flags=AS%Ops=MNWNNT) 
+T2(Resp=N) 
+T3(Resp=Y%DF=Y%W=FFFE%ACK=S++%Flags=AS%Ops=MNWNNT) 
+T4(DF=Y%W=0%ACK=O%Flags=R%Ops=) 
+T5(DF=Y%W=0%ACK=S++%Flags=AR%Ops=) 
+T6(DF=Y%W=0%ACK=O%Flags=R%Ops=) 
+T7(DF=Y%W=0%ACK=S%Flags=AR%Ops=) 
+PU(DF=N%TOS=0%IPLEN=38%RIPTL=148%RID=E%RIPCK=E%UCK=0%ULEN=134%DAT=E) 
+
 Fingerprint FreeSCO 0.27 (Linux 2.0.38)
 Class FreeSCO | Linux | 2.0.X | router
 TSeq(Class=RI%gcd=<6%SI=<1F22A6E&>4E0A2%IPID=Z%TS=100HZ)

--n8g4imXOkfNTN/H1
Content-Type: text/plain; charset=us-ascii
Content-Disposition: attachment; filename="hack_tcp_fingerprint.diff"

--- src/sys/netinet/tcp.h.old	2005-03-22 22:22:07.000000000 +0100
+++ src/sys/netinet/tcp.h	2005-03-22 22:22:27.000000000 +0100
@@ -146,7 +146,7 @@
  */
 #define	TCP6_MSS	1024
 
-#define	TCP_MAXWIN	65535	/* largest value for (unscaled) window */
+#define	TCP_MAXWIN	65534	/* largest value for (unscaled) window */
 #define	TTCP_CLIENT_SND_WND	4096	/* dflt send window for T/TCP client */
 
 #define TCP_MAX_WINSHIFT	14	/* maximum window shift */

--n8g4imXOkfNTN/H1--