View Full Version : Security Cloak : How to fool Passive OS Scanner
pavs
July 23rd, 2007, 03:52 PM
Security Cloak is designed to protect against TCP/IP stack fingerprinting and computer identification/information leakage via timestamp and window options by modifying relevant registry keys. The settings used are based on the results of SYN packet analysis by p0f. While the OS reported by other OS detection scanners were not identical to those of p0f, testing against Nmap, xprobe2, queso and cheops showed that they were unable to identify the correct operating system/version after Security Cloak settings had been applied.
http://www.linuxhaxor.net/2007/07/23/security-cloak-how-to-fool-passive-os-scanner/
pavs
herbalist
July 23rd, 2007, 07:06 PM
The pOf fingerprint submission link reads my system as XP/2000, with both the user agent switcher and Proxomitron bypassed. Missed the hardware firewall entirely. Only thing it got right is that I have an ethernet modem and my IP. Fooling that isn't much of an accomplishment..
Rick
pavs
July 23rd, 2007, 09:00 PM
what do you mean by it missed the hardware firewall? It's not supposed to give information about your hardware firewall, but your OS, thats the whole point.
It is a "passive OS scanner" , what makes you think it's going to work if you hide behind a proxy?
For an active OS scanner use Nmap, or at least learn how to:
http://www.linuxhaxor.net/category/hacking-tools/nmap/
Cheers,
pavs
herbalist
July 24th, 2007, 12:40 AM
The pOf V2 signature contribution specifically asks for firewall/cache systems.
-{ Quote: "Most needed systems: BSDI, IRIX, UnixWare, FreeSCO, AIX, older SunOS, HP-UX, DGUX/Tru64, ULTRIX, NetWare, UNICOS, OS/400, NextSTEP, OpenVMS, BeOS, OSF1, MacOS pre-X and all other minority OSes; proxy firewall/cache systems (Checkpoint, CacheOS); handhelds (Palm), appliances and other network devices." }-
I'm using a hardware firewall but not a proxy. Either way, it didn't get my OS right either.
You used a screenshot from http://lcamtuf.coredump.cx/p0f-help/ and I wanted to see if it could accurately identify mine. From their page.
-{ Quote: "There are several tools that are capable of performing passive fingerprinting, but as of today and to my knowledge, p0f is simply the best. " }-
I was primarily checking out pOf's accuracy. It wasn't. Regarding NMAP, not needed to check their accuracy in identifying my own system.
Rick
vBulletin® Copyright ©2000-2012, Jelsoft Enterprises Ltd.
Copyright ©2002 - 2012, Wilders Security Forums