This document discusses IpMorph, an open source software project that aims to defeat OS fingerprinting tools by spoofing the OS fingerprint of systems. It provides an overview of OS fingerprinting techniques, the state of spoofing tools at the time of writing, IpMorph's architecture and components, and how it can spoof fingerprints seen by tools like Nmap.

1. This document is licensed under a Creative Commons Attribution 3.0 License
IpMorph is an Open Source project owned, developed and supported by DIATEAM 1
IpMorph :
Unification of OS fingerprinting defeating
or, how to defeat common OSFP tools.
Guillaume PRIGENT
Florian VICHOT
DIATEAM - Brest
vendredi 30 octobre 2009

2. This document is licensed under a Creative Commons Attribution 3.0 License
IpMorph is an Open Source project owned, developed and supported by DIATEAM
v0.1
IpMorph : “How to defeat common OSFP tools”
2009/10/30 guillaume.prigent@diateam.net - DIATEAM
Context
2
Reason for creating IpMorph :
– Hynesim Project: We needed a way to disguise low-interaction
guests (OpenVZ) as different, non-unix OSes.
– We already had some software components from previous
projects
– It seemed fun (at the time)
Guiding principles :
– Complete software, not just proof-of-concept
– Unification of spoofing mechanisms
– No network disruptions
vendredi 30 octobre 2009

3. This document is licensed under a Creative Commons Attribution 3.0 License
IpMorph is an Open Source project owned, developed and supported by DIATEAM
v0.1
IpMorph : “How to defeat common OSFP tools”
2009/10/30 guillaume.prigent@diateam.net - DIATEAM
OS fingerprinting typology
3
Detection techniques
Active Passive
Binaries
thc-rut
Xprobe2
Nmap
Ring2
SinFP
p0f
SinFP
Ettercap
Timeouts
Network sniffing
TCPHeaders
ICMPReplies
ISNProfile
Banners
Gathering Stack fingerprinting
vendredi 30 octobre 2009

4. This document is licensed under a Creative Commons Attribution 3.0 License
IpMorph is an Open Source project owned, developed and supported by DIATEAM
v0.1
IpMorph : “How to defeat common OSFP tools”
2009/10/30 guillaume.prigent@diateam.net - DIATEAM
4
OSFP Timeline
vendredi 30 octobre 2009

5. This document is licensed under a Creative Commons Attribution 3.0 License
IpMorph is an Open Source project owned, developed and supported by DIATEAM
v0.1
IpMorph : “How to defeat common OSFP tools”
2009/10/30 guillaume.prigent@diateam.net - DIATEAM
4
OSFP Timeline
vendredi 30 octobre 2009

6. This document is licensed under a Creative Commons Attribution 3.0 License
IpMorph is an Open Source project owned, developed and supported by DIATEAM
v0.1
IpMorph : “How to defeat common OSFP tools”
2009/10/30 guillaume.prigent@diateam.net - DIATEAM
Fingerprinting principles
5
NETWORK
A
Active stack fingerprinting
Nmap,
SinFP, …
Advantages Drawbacks
Quick, precise «Noisy», recognisable
vendredi 30 octobre 2009

7. This document is licensed under a Creative Commons Attribution 3.0 License
IpMorph is an Open Source project owned, developed and supported by DIATEAM
v0.1
IpMorph : “How to defeat common OSFP tools”
2009/10/30 guillaume.prigent@diateam.net - DIATEAM
Fingerprinting principles
5
NETWORK
A
Active stack fingerprinting
Nmap,
SinFP, …
A =
Advantages Drawbacks
Quick, precise «Noisy», recognisable
vendredi 30 octobre 2009

8. This document is licensed under a Creative Commons Attribution 3.0 License
IpMorph is an Open Source project owned, developed and supported by DIATEAM
v0.1
IpMorph : “How to defeat common OSFP tools”
2009/10/30 guillaume.prigent@diateam.net - DIATEAM
Fingerprinting principles
6
AB
Passive stack fingerprinting
p0f,
SinFP, …
NETWORK
Advantages Drawbacks
stealthy slow, vague
vendredi 30 octobre 2009

9. This document is licensed under a Creative Commons Attribution 3.0 License
IpMorph is an Open Source project owned, developed and supported by DIATEAM
v0.1
IpMorph : “How to defeat common OSFP tools”
2009/10/30 guillaume.prigent@diateam.net - DIATEAM
Fingerprinting principles
6
AB A =B =
Passive stack fingerprinting
p0f,
SinFP, …
NETWORK
Advantages Drawbacks
stealthy slow, vague
vendredi 30 octobre 2009

10. This document is licensed under a Creative Commons Attribution 3.0 License
IpMorph is an Open Source project owned, developed and supported by DIATEAM
v0.1
IpMorph : “How to defeat common OSFP tools”
2009/10/30 guillaume.prigent@diateam.net - DIATEAM
IpMorph use-cases
7
SYN SYN+ACK
Active OSFP + Virtual Machines
A
B
SYN SYN+ACK
Passive OSFP + Virtual Machines
B
A
vendredi 30 octobre 2009

11. This document is licensed under a Creative Commons Attribution 3.0 License
IpMorph is an Open Source project owned, developed and supported by DIATEAM
v0.1
IpMorph : “How to defeat common OSFP tools”
2009/10/30 guillaume.prigent@diateam.net - DIATEAM
IpMorph use-cases
7
A =
B =
SYN SYN+ACK
Active OSFP + Virtual Machines
A
B
SYN SYN+ACK
Passive OSFP + Virtual Machines
B
A
vendredi 30 octobre 2009

12. This document is licensed under a Creative Commons Attribution 3.0 License
IpMorph is an Open Source project owned, developed and supported by DIATEAM
v0.1
IpMorph : “How to defeat common OSFP tools”
2009/10/30 guillaume.prigent@diateam.net - DIATEAM
IpMorph use-cases
7
A =
B =
SYN SYN+ACK
Active OSFP + Virtual Machines
A
B
A =
B =
SYN SYN+ACK
Passive OSFP + Virtual Machines
B
A
vendredi 30 octobre 2009

13. This document is licensed under a Creative Commons Attribution 3.0 License
IpMorph is an Open Source project owned, developed and supported by DIATEAM
v0.1
IpMorph : “How to defeat common OSFP tools”
2009/10/30 guillaume.prigent@diateam.net - DIATEAM
Spoofing state of the art
8
• Filtering
– Stealth patch : Unmaintained as of 2002, GNU/Linux kernel 2.2-2.4
– Blackhole : FreeBSD, kernel options
– IPlog : Unmaintained as of 2001, *BSD
– Packet filter : OpenBSD
• Host TCP/IP stack tweaking
– Ip Personality
– Fingerprint Fucker
– Fingerprint scrubber
– OSfuscate
• Host TCP/IP stack replacement (proxy behaviour)
– Honeyd
– Packet purgatory / Morph
vendredi 30 octobre 2009

14. This document is licensed under a Creative Commons Attribution 3.0 License
IpMorph is an Open Source project owned, developed and supported by DIATEAM
v0.1
IpMorph : “How to defeat common OSFP tools”
2009/10/30 guillaume.prigent@diateam.net - DIATEAM
Software bricks
9
• Coded in C++
• Userland application
• Tools:
–IpMorph (Core)
–IpMorph Controller
–IpMorph Personality Manager
–IpView (IpMorph GUI)
• Portability :
–GNU/Linux
–*BSD, Mac OS
• GPLv3 License
vendredi 30 octobre 2009

15. This document is licensed under a Creative Commons Attribution 3.0 License
IpMorph is an Open Source project owned, developed and supported by DIATEAM
v0.1
IpMorph : “How to defeat common OSFP tools”
2009/10/30 guillaume.prigent@diateam.net - DIATEAM
Interface layerInterface layer
Eth. Write
General architecture
10
Eth. Write
TCP
Filter & Processor
Context queueExposed IP stack Protected IP stack
TCPUDPICMPIPETH
TCPUDPICMPIPETH
UDP
Filter
ICMP Filter
IP Filter
Eth. Read
(R)ARP
TCP
Filter & Processor
UDP
Filter
ICMP Filter
IP Filter
(R)ARP
Eth. Read
eth tap fd eth tap fd
Frag. & Reass. Frag. & Reass.
Scheduler
UDP context tracker & data
processor (plugins)
ICMP context tracker & data
processor (plugins)
IP context tracker & data
processor (plugins)
(R)ARP translation
processor
TCP context tracker & data
processor (plugins)
vendredi 30 octobre 2009

16. This document is licensed under a Creative Commons Attribution 3.0 License
IpMorph is an Open Source project owned, developed and supported by DIATEAM
v0.1
IpMorph : “How to defeat common OSFP tools”
2009/10/30 guillaume.prigent@diateam.net - DIATEAM
Interface layerInterface layer
Eth. Write
General architecture
10
Eth. Write
TCP
Filter & Processor
Context queueExposed IP stack Protected IP stack
TCPUDPICMPIPETH
TCPUDPICMPIPETH
UDP
Filter
ICMP Filter
IP Filter
Eth. Read
(R)ARP
TCP
Filter & Processor
UDP
Filter
ICMP Filter
IP Filter
(R)ARP
Eth. Read
eth tap fd eth tap fd
Frag. & Reass. Frag. & Reass.
Scheduler
UDP context tracker & data
processor (plugins)
ICMP context tracker & data
processor (plugins)
IP context tracker & data
processor (plugins)
(R)ARP translation
processor
TCP context tracker & data
processor (plugins)
vendredi 30 octobre 2009

17. This document is licensed under a Creative Commons Attribution 3.0 License
IpMorph is an Open Source project owned, developed and supported by DIATEAM
v0.1
IpMorph : “How to defeat common OSFP tools”
2009/10/30 guillaume.prigent@diateam.net - DIATEAM
Interface layerInterface layer
Eth. Write
General architecture
10
Eth. Write
TCP
Filter & Processor
Context queueExposed IP stack Protected IP stack
TCPUDPICMPIPETH
TCPUDPICMPIPETH
UDP
Filter
ICMP Filter
IP Filter
Eth. Read
(R)ARP
TCP
Filter & Processor
UDP
Filter
ICMP Filter
IP Filter
(R)ARP
Eth. Read
eth tap fd eth tap fd
Frag. & Reass. Frag. & Reass.
Scheduler
UDP context tracker & data
processor (plugins)
ICMP context tracker & data
processor (plugins)
IP context tracker & data
processor (plugins)
(R)ARP translation
processor
TCP context tracker & data
processor (plugins)
vendredi 30 octobre 2009

18. This document is licensed under a Creative Commons Attribution 3.0 License
IpMorph is an Open Source project owned, developed and supported by DIATEAM
v0.1
IpMorph : “How to defeat common OSFP tools”
2009/10/30 guillaume.prigent@diateam.net - DIATEAM
Interface layerInterface layer
Eth. Write
General architecture
10
Eth. Write
TCP
Filter & Processor
Context queueExposed IP stack Protected IP stack
TCPUDPICMPIPETH
TCPUDPICMPIPETH
UDP
Filter
ICMP Filter
IP Filter
Eth. Read
(R)ARP
TCP
Filter & Processor
UDP
Filter
ICMP Filter
IP Filter
(R)ARP
Eth. Read
eth tap fd eth tap fd
Frag. & Reass. Frag. & Reass.
Scheduler
UDP context tracker & data
processor (plugins)
ICMP context tracker & data
processor (plugins)
IP context tracker & data
processor (plugins)
(R)ARP translation
processor
TCP context tracker & data
processor (plugins)
vendredi 30 octobre 2009

19. This document is licensed under a Creative Commons Attribution 3.0 License
IpMorph is an Open Source project owned, developed and supported by DIATEAM
v0.1
IpMorph : “How to defeat common OSFP tools”
2009/10/30 guillaume.prigent@diateam.net - DIATEAM
Interface layerInterface layer
Eth. Write
General architecture
10
Eth. Write
TCP
Filter & Processor
Context queueExposed IP stack Protected IP stack
TCPUDPICMPIPETH
TCPUDPICMPIPETH
UDP
Filter
ICMP Filter
IP Filter
Eth. Read
(R)ARP
TCP
Filter & Processor
UDP
Filter
ICMP Filter
IP Filter
(R)ARP
Eth. Read
eth tap fd eth tap fd
Frag. & Reass. Frag. & Reass.
Scheduler
UDP context tracker & data
processor (plugins)
ICMP context tracker & data
processor (plugins)
IP context tracker & data
processor (plugins)
(R)ARP translation
processor
TCP context tracker & data
processor (plugins)
vendredi 30 octobre 2009

20. This document is licensed under a Creative Commons Attribution 3.0 License
IpMorph is an Open Source project owned, developed and supported by DIATEAM
v0.1
IpMorph : “How to defeat common OSFP tools”
2009/10/30 guillaume.prigent@diateam.net - DIATEAM
Interface layerInterface layer
Eth. Write
General architecture
10
Eth. Write
TCP
Filter & Processor
Context queueExposed IP stack Protected IP stack
TCPUDPICMPIPETH
TCPUDPICMPIPETH
UDP
Filter
ICMP Filter
IP Filter
Eth. Read
(R)ARP
TCP
Filter & Processor
UDP
Filter
ICMP Filter
IP Filter
(R)ARP
Eth. Read
eth tap fd eth tap fd
Frag. & Reass. Frag. & Reass.
Scheduler
UDP context tracker & data
processor (plugins)
ICMP context tracker & data
processor (plugins)
IP context tracker & data
processor (plugins)
(R)ARP translation
processor
TCP context tracker & data
processor (plugins)
vendredi 30 octobre 2009

21. This document is licensed under a Creative Commons Attribution 3.0 License
IpMorph is an Open Source project owned, developed and supported by DIATEAM
v0.1
IpMorph : “How to defeat common OSFP tools”
2009/10/30 guillaume.prigent@diateam.net - DIATEAM
Nmap : Signature Format
11
Fingerprint FreeBSD 7.0-CURRENT
Class FreeBSD | FreeBSD | 7.X | general purpose
SEQ(SP=101-10D%GCD=<7%ISR=108-112%TI=RD%II=RI%TS=20|21|22)
OPS(O1=M5B4NW8NNT11%O2=M578NW8NNT11%O3=M280NW8NNT11%O4=M5B4NW8NNT11%O5=M218NW8NNT11%O6=M109NNT11)
WIN(W1=FFFF%W2=FFFF%W3=FFFF%W4=FFFF%W5=FFFF%W6=FFFF)
ECN(R=Y%DF=Y%T=40%TG=40%W=FFFF%O=M5B4NW8%CC=N%Q=)
T1(R=Y%DF=Y%T=40%TG=40%S=O%A=S+%F=AS%RD=0%Q=)
T2(R=N)
T3(R=Y%DF=Y%T=40%TG=40%W=FFFF%S=O%A=S+%F=AS%O=M109NW8NNT11%RD=0%Q=)
T4(R=Y%DF=Y%T=40%TG=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)
T5(R=Y%DF=Y%T=40%TG=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)
T6(R=Y%DF=Y%T=40%TG=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)
T7(R=Y%DF=Y%T=40%TG=40%W=0%S=Z%A=S%F=AR%O=%RD=0%Q=)
U1(DF=N%T=40%TG=40%TOS=0%IPL=38%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUL=G%RUD=G)
IE(DFI=S%T=40%TG=40%TOSI=S%CD=S%SI=S%DLI=S)
…
SP : TCP ISN
Predictability
GCD : TCP ISN
Greatest Common
Divisor
ISR : TCP
ISN counter
Rate
TI : TCP IP ID sequence
generation algorithm
II : ICMP IP ID sequence
generation algorithm
TS : TCP
timestamp option
algorithm
SS : Shared IP ID
sequence Boolean
W1-W6 :
TCP
initial win
size
O1-06: TCP
Options (ordering
& values)
DF: IP donʼt
fragment bit
T: IP initial time-
to-live
TG: IP initial
time-to-live
guess
W: TCP
initial win
size
S: TCP
seq.
number
A: TCP ack.
number
F: TCP
Flags
RD: TCP RST
data checksum
Q: TCP misc.
quirks
TOS: IP type of
service
IPL: IP total
length
UN: Unused port
unreach. field
nonzero
RID: Returned
probe IP ID value
RIPCK: Returned
probe IP
checksum value
RUCK: Returned
probe UDP
checksum
RUL: Returned probe
UDP length
RIPL: Returned
probe IP total
length value
vendredi 30 octobre 2009

22. This document is licensed under a Creative Commons Attribution 3.0 License
IpMorph is an Open Source project owned, developed and supported by DIATEAM
v0.1
IpMorph : “How to defeat common OSFP tools”
2009/10/30 guillaume.prigent@diateam.net - DIATEAM
Nmap : Spoofing test RD
12
RD: TCP RST
data checksum
NETWORK
TCP
Headers
Flags: RST... Data: «Port closed etc...»
CRC32(«Port closed etc...») = 0x0af1a1cb
...
TCP SYN+RST packet on closed port
Reverse_CRC32(0x0af1a1cb) = 0x201111b8
SP : TCP ISN
Predictability
GCD : TCP ISN
Greatest Common
Divisor
ISR : TCP
ISN counter
Rate
TI : TCP IP ID sequence
generation algorithm
II : ICMP IP ID sequence
generation algorithm
vendredi 30 octobre 2009

23. This document is licensed under a Creative Commons Attribution 3.0 License
IpMorph is an Open Source project owned, developed and supported by DIATEAM
v0.1
IpMorph : “How to defeat common OSFP tools”
2009/10/30 guillaume.prigent@diateam.net - DIATEAM
Nmap : Spoofing test RD
12
RD: TCP RST
data checksum
NETWORK
TCP
Headers
Flags: RST... Data: «Port closed etc...»
CRC32(«Port closed etc...») = 0x0af1a1cb
...
TCP SYN+RST packet on closed port
Reverse_CRC32(0x0af1a1cb) = 0x201111b8
SP : TCP ISN
Predictability
GCD : TCP ISN
Greatest Common
Divisor
ISR : TCP
ISN counter
Rate
TI : TCP IP ID sequence
generation algorithm
II : ICMP IP ID sequence
generation algorithm
Port closed
vendredi 30 octobre 2009

24. We keep 2 counters:
This document is licensed under a Creative Commons Attribution 3.0 License
IpMorph is an Open Source project owned, developed and supported by DIATEAM
v0.1
IpMorph : “How to defeat common OSFP tools”
2009/10/30 guillaume.prigent@diateam.net - DIATEAM
Nmap : Spoofing tests TI / II
13
RD: TCP RST
data checksum
SP : TCP ISN
Predictability
GCD : TCP ISN
Greatest Common
Divisor
ISR : TCP
ISN counter
Rate
TI : TCP IP ID sequence
generation algorithm
II : ICMP IP ID sequence
generation algorithm
IP
Headers:
IP ID... Data...
Typical IP packet
Possible algorithms:
Always zero
Constant
Constant increment
...
_lastIpIdTcp
_lastIpIdOther
vendredi 30 octobre 2009

25. This document is licensed under a Creative Commons Attribution 3.0 License
IpMorph is an Open Source project owned, developed and supported by DIATEAM
v0.1
IpMorph : “How to defeat common OSFP tools”
2009/10/30 guillaume.prigent@diateam.net - DIATEAM
Nmap : Spoofing tests SP / GCD / ISR
14
RD: TCP RST
data checksum
SP : TCP ISN
Predictability
GCD : TCP ISN
Greatest Common
Divisor
ISR : TCP
ISN counter
Rate
TI : TCP IP ID sequence
generation algorithm
II : ICMP IP ID sequence
generation algorithm
IP
Headers
Sequence
number
... ...
Typical TCP Header
Nmaps send 6 TCP probes, at a 550ms interval.
Seq 1 Seq 2 Seq 3 Seq 4 Seq 5 Seq 6
∆1
ISR SP GCD
}}
∆2 ∆3 ∆4 ∆5Compute differences :
Get all 6 ISNs :
Compute mean, stddev and GCD :
vendredi 30 octobre 2009

26. This document is licensed under a Creative Commons Attribution 3.0 License
IpMorph is an Open Source project owned, developed and supported by DIATEAM
v0.1
IpMorph : “How to defeat common OSFP tools”
2009/10/30 guillaume.prigent@diateam.net - DIATEAM
Nmap : Spoofing tests SP / GCD / ISR
15
RD: TCP RST
data checksum
SP : TCP ISN
Predictability
GCD : TCP ISN
Greatest Common
Divisor
ISR : TCP
ISN counter
Rate
TI : TCP IP ID sequence
generation algorithm
II : ICMP IP ID sequence
generation algorithm
What we want
SP
Mean from
ISR
What we have
Box-Muller points
ISN candidates
GCD compatible values
vendredi 30 octobre 2009

27. This document is licensed under a Creative Commons Attribution 3.0 License
IpMorph is an Open Source project owned, developed and supported by DIATEAM
v0.1
IpMorph : “How to defeat common OSFP tools”
2009/10/30 guillaume.prigent@diateam.net - DIATEAM
Nmap : Spoofing tests SP / GCD / ISR
15
RD: TCP RST
data checksum
SP : TCP ISN
Predictability
GCD : TCP ISN
Greatest Common
Divisor
ISR : TCP
ISN counter
Rate
TI : TCP IP ID sequence
generation algorithm
II : ICMP IP ID sequence
generation algorithm
What we want
SP
Mean from
ISR
What we have
Box-Muller points
ISN candidates
GCD compatible values
vendredi 30 octobre 2009

28. Offset 0-3 4-7 8-11 12-15 16-19 20-23 24-27 28-31
0 Source portSource portSource portSource port Destination PortDestination PortDestination PortDestination Port
32 Sequence numberSequence numberSequence numberSequence numberSequence numberSequence numberSequence numberSequence number
64 Acknowledgment numberAcknowledgment numberAcknowledgment numberAcknowledgment numberAcknowledgment numberAcknowledgment numberAcknowledgment numberAcknowledgment number
96 Data
Offset
Reserved FlagsFlags Window SizeWindow SizeWindow SizeWindow Size
128 ChecksumChecksumChecksumChecksum Urgent PointerUrgent PointerUrgent PointerUrgent Pointer
160
...
Options ...Options ...Options ...Options ...Options ...Options ...Options ...Options ...
This document is licensed under a Creative Commons Attribution 3.0 License
IpMorph is an Open Source project owned, developed and supported by DIATEAM
v0.1
IpMorph : “How to defeat common OSFP tools”
2009/10/30 guillaume.prigent@diateam.net - DIATEAM
SinFP : How is the spoofing done ?
16
Binary :
heuristic0,
heuristic1,
heuristic2
TcpFlags :
heuristic0, heuristic1,
heuristic2
TcpMss : heuristic0,
heuristic1, heuristic2
TcpOptions :
heuristic0, heuristic1,
heuristic2
TcpWindow :
heuristic0, heuristic1,
heuristic2
{Constants:
•TTL, ID, DF
•seq and ack
vendredi 30 octobre 2009

29. This document is licensed under a Creative Commons Attribution 3.0 License
IpMorph is an Open Source project owned, developed and supported by DIATEAM
v0.1
IpMorph : “How to defeat common OSFP tools”
2009/10/30 guillaume.prigent@diateam.net - DIATEAM
p0f : Signature format
17
8192:128:1:52:M*,W8,N,N,N,S:.:Windows:Vista (beta)
TCP Window
Size
TCP Initial
TTL
IP Donʼt
Fragment Bit
TCP SYN
Packet Size
TCP Options Quirks OS System
Class
OS Name
• Version 2.0.8 (2006)
• 6 parameters analyzed
• Only on SYN packets (default DB = p0f.fp)
• Actually can analyze other type of packets, but very few
signatures available (experimental)
vendredi 30 octobre 2009

30. This document is licensed under a Creative Commons Attribution 3.0 License
IpMorph is an Open Source project owned, developed and supported by DIATEAM
v0.1
IpMorph : “How to defeat common OSFP tools”
2009/10/30 guillaume.prigent@diateam.net - DIATEAM
Ring2 - congestion timeouts spoofing
18
vendredi 30 octobre 2009

31. This document is licensed under a Creative Commons Attribution 3.0 License
IpMorph is an Open Source project owned, developed and supported by DIATEAM
v0.1
IpMorph : “How to defeat common OSFP tools”
2009/10/30 guillaume.prigent@diateam.net - DIATEAM
Future
19
• June 2009 – SSTIC 2009
– First demo
–« Beta release » 0.1 (available on website)
• End 2009 – Beginning 2010
–Refactoring (leaner, faster, easier to use)
–PersonalityManager, various tools...
–Version 0.2 will be available on website too
–Documentation...
–Possibly, integrate application-level scrubbers (DNS,
SMB, DHCP, …) ?
vendredi 30 octobre 2009

32. This document is licensed under a Creative Commons Attribution 3.0 License
IpMorph is an Open Source project owned, developed and supported by DIATEAM
v0.1
IpMorph : “How to defeat common OSFP tools”
2009/10/30 guillaume.prigent@diateam.net - DIATEAM
Personality Manager
20
vendredi 30 octobre 2009

33. This document is licensed under a Creative Commons Attribution 3.0 License
IpMorph is an Open Source project owned, developed and supported by DIATEAM
v0.1
IpMorph : “How to defeat common OSFP tools”
2009/10/30 guillaume.prigent@diateam.net - DIATEAM
Personality Manager
20
vendredi 30 octobre 2009

34. This document is licensed under a Creative Commons Attribution 3.0 License
IpMorph is an Open Source project owned, developed and supported by DIATEAM
v0.1
IpMorph : “How to defeat common OSFP tools”
2009/10/30 guillaume.prigent@diateam.net - DIATEAM
1 - Interface tap0
Demo
21
192.168.10.110
Linux Ubuntu 8.04
192.168.10.73
Nmap, Xprobe2,
SinFP, P0f
tap0
eth0
LAN
Demoʼs scenario
4 - Xprobe2
2 - VirtualBox
3- IpMorph
5 - Nmap
6 - SinFp as active
7 - SinFp as passive
8 - p0f
Configuration Active Fingerprinting Passive Fingerprinting
vendredi 30 octobre 2009

35. This document is licensed under a Creative Commons Attribution 3.0 License
IpMorph is an Open Source project owned, developed and supported by DIATEAM
v0.1
IpMorph : “How to defeat common OSFP tools”
2009/10/30 guillaume.prigent@diateam.net - DIATEAM
Demo XProbe2
22
vendredi 30 octobre 2009

36. This document is licensed under a Creative Commons Attribution 3.0 License
IpMorph is an Open Source project owned, developed and supported by DIATEAM
v0.1
IpMorph : “How to defeat common OSFP tools”
2009/10/30 guillaume.prigent@diateam.net - DIATEAM
Demo XProbe2
22
vendredi 30 octobre 2009

37. This document is licensed under a Creative Commons Attribution 3.0 License
IpMorph is an Open Source project owned, developed and supported by DIATEAM
v0.1
IpMorph : “How to defeat common OSFP tools”
2009/10/30 guillaume.prigent@diateam.net - DIATEAM
Demo Nmap
23
vendredi 30 octobre 2009

38. This document is licensed under a Creative Commons Attribution 3.0 License
IpMorph is an Open Source project owned, developed and supported by DIATEAM
v0.1
IpMorph : “How to defeat common OSFP tools”
2009/10/30 guillaume.prigent@diateam.net - DIATEAM
Demo Nmap
23
vendredi 30 octobre 2009

39. This document is licensed under a Creative Commons Attribution 3.0 License
IpMorph is an Open Source project owned, developed and supported by DIATEAM
v0.1
IpMorph : “How to defeat common OSFP tools”
2009/10/30 guillaume.prigent@diateam.net - DIATEAM
Demo SinFP active
24
vendredi 30 octobre 2009

40. This document is licensed under a Creative Commons Attribution 3.0 License
IpMorph is an Open Source project owned, developed and supported by DIATEAM
v0.1
IpMorph : “How to defeat common OSFP tools”
2009/10/30 guillaume.prigent@diateam.net - DIATEAM
Demo SinFP active
24
vendredi 30 octobre 2009

41. This document is licensed under a Creative Commons Attribution 3.0 License
IpMorph is an Open Source project owned, developed and supported by DIATEAM
v0.1
IpMorph : “How to defeat common OSFP tools”
2009/10/30 guillaume.prigent@diateam.net - DIATEAM
Demo SinFP passive
25
vendredi 30 octobre 2009

42. This document is licensed under a Creative Commons Attribution 3.0 License
IpMorph is an Open Source project owned, developed and supported by DIATEAM
v0.1
IpMorph : “How to defeat common OSFP tools”
2009/10/30 guillaume.prigent@diateam.net - DIATEAM
Demo SinFP passive
25
vendredi 30 octobre 2009

43. This document is licensed under a Creative Commons Attribution 3.0 License
IpMorph is an Open Source project owned, developed and supported by DIATEAM
v0.1
IpMorph : “How to defeat common OSFP tools”
2009/10/30 guillaume.prigent@diateam.net - DIATEAM
Demo p0f
26
vendredi 30 octobre 2009

44. This document is licensed under a Creative Commons Attribution 3.0 License
IpMorph is an Open Source project owned, developed and supported by DIATEAM 27
Thank you for
listening!
Questions ?
vendredi 30 octobre 2009