IpMorph: Unification of OS fingerprinting defeating presented at HackLu 2009

by Guillaume Prigent, Florian Vichot,

Summary : There currently exists tons of IP stack fingerprinting tools, that allows one to identify the remote OS of potential targets with relative ease. In this talk, we will show that confusing or fooling remote OS FingerPrinting (OSFP) tools is possible in a universal way. To demonstrate, we created IpMorph, which is a userland TCP/IP stack in charge of monitoring sessions and modifying packets on the fly to fool remote fingerprinting tools. We will detail its behaviour and algorithms, against tools such as Nmap, Ring and SinFP. It's capable of fooling the active as well as the passive mode of OSFP tools. Our goal it to unify all the different signature formats inside a single database of "personalities". The configuration of IpMorph is done (its attributes as well as its algorithms) according to those personalities. We will present the concepts and architecture behind IpMorph, and detail some of the technical challenges encountered: the difficulty to reverse certain signature information or to respect some temporal constraints, all the while trying to guarantee transparency and discretion. We think this material is innovative, as no-one has tried to determine what really defines an TCP/IP stack, which is what we're trying to do by unifying all signatures into personalities. Our work has already permitted to find a bug in Nmap, raised issues with the relevance of some tests in SinFP, and allowed us to better understand what makes a TCP/IP stack unique, and what constitutes efficient OSFP techniques.