nmap fingerprint

Robert Millan rmh@debian.org
Wed, 23 Mar 2005 10:27:20 +0100 

On Wed, Mar 23, 2005 at 02:21:01AM +0200, Guillem Jover wrote:
> On Tue, Mar 22, 2005 at 10:44:05PM +0100, Robert Millan wrote:
> > I've made this pair of patches (one for kfreebsd and one for nmap) that makes
> > our kernel produce slightly different tcp/ip fingerprints than unmodified
> > kernel of FreeBSD, and nmap able to identify our version.
> 
> But they are using the same kernel, don't diverge from upstream (in
> this case, the kernel) gratuitously.

In fact, we're already diverging from upstream in more relevant ways than this
one (look at patches 904 or 907 for example).  My policy for adding patches to
the kfreebsd package has been to add it if it makes sense, regardless of
wether upstream wants it.  I always try to merge my patches in upstream though.

> > The idea is that with this change GNU/kFreeBSD webservers no longer will be
> > miss-identified as FreeBSD in places like netcraft (www.netcraft.com), etc.
> 
> It's just identifying the kernel, or in other words the tcp/ip stack,
> a better way to report a different system is via httpd for example,
> so in the userland where it belongs, the kernel should not have the
> knowledge of which system it's running under.

Uhm.. I ask you the same I said to Alex, are you sure netcraft bases they
detection on the contents of http headers?  It'd be interesting to find that
out before discussing other options, but the information in their website is
somewhat ambigous.

> > Any comments?  I would appreciate some testing on the patch before committing
> > it (specialy because I'm not sure if reducing the max window size could have
> > undesired effects).
> 
> Well we'll lose a byte, also if there's Foo/kFreeBSD in the future
> they will have to substract one from our definition as well? Seems
> a very nasty hack.

Well it used to be 0x402E back in FreeBSD 4.x.  It is the "max" bit that
worries me (perhaps the correct place to change that is somewhere else in the
code).

-- 
 .''`.   Proudly running Debian GNU/kFreeBSD unstable/unreleased (on UFS2+S)
: :' :
`. `'    http://www.debian.org/ports/kfreebsd-gnu
  `-